[Dovecot] Problem with passwords surrounded by curly braces
Hello,
one of my users set his password to something surrounded by curly braces, and promptly all access to his mailbox was refused. After looking through the logs I found an entry "Unknown password scheme xxxx", where "xxxx" is the user's password, but without the curly braces. I then browsed through the documentation and there was explained that it is possible to prefix the password with the password scheme in curly braces, like "{PLAIN}xxxx" where xxxx is the password itself.
Manually altering the users password in the database to "{PLAIN}xxxx" (where "xxxx" is the user's password WITH curly braces) fixed this problem for me at this time, but the time a user chooses such a strange password I would have to edit the table again. So in my opinion the {SCHEME}-prefix is not a useful thing. Why would anyone need it, anyway? Shouldn't all passwords have the same scheme which is set in the dovecot.conf file once?
If the feature is indeed used: with a database lookup it should be replaced by an optional database field or, if that's not possible, it should be possible to disable this feature from the config file.
Frank
Frank Kintrup wrote:
I would have to edit the table again. So in my opinion the {SCHEME}-prefix is not a useful thing. Why would anyone need it, anyway? Shouldn't all passwords have the same scheme which is set in the dovecot.conf file once?
Sometimes one has to import the user data from some legacy system using a different scheme than the one you'd like to use. Believe me, it is really useful for anyone migrating from legacy systems :)
Przemyslaw
On Mon, 2008-01-07 at 23:59 +0100, Frank Kintrup wrote:
Manually altering the users password in the database to "{PLAIN}xxxx" (where "xxxx" is the user's password WITH curly braces) fixed this problem for me at this time, but the time a user chooses such a strange password I would have to edit the table again. So in my opinion the {SCHEME}-prefix is not a useful thing. Why would anyone need it, anyway? Shouldn't all passwords have the same scheme which is set in the dovecot.conf file once?
Often they are, but there are installations which use multiple schemes. For example otherwise it would be pretty much impossible to change a scheme for an existing installation.
If the feature is indeed used: with a database lookup it should be replaced by an optional database field or, if that's not possible, it should be possible to disable this feature from the config file.
It's possible since v1.0.8. I guess I should write about this to wiki as well:
+ Authentication: Added "password_noscheme" field that can be used
instead of "password". "password" treats "{prefix}" as a password
scheme while "password_noscheme" treats it as part of the password
itself. So "password_noscheme" should be used if you're storing
passwords as plaintext. Non-plaintext passwords never begin
with "{", so this isn't a problem with them.On Mon, 7 Jan 2008, Frank Kintrup wrote:
Hello,
one of my users set his password to something surrounded by curly braces, and promptly all access to his mailbox was refused. After looking through the logs I found an entry "Unknown password scheme xxxx", where "xxxx" is the user's password, but without the curly braces. I then browsed through the documentation and there was explained that it is possible to prefix the password with the password scheme in curly braces, like "{PLAIN}xxxx" where xxxx is the password itself.
Manually altering the users password in the database to "{PLAIN}xxxx" (where "xxxx" is the user's password WITH curly braces) fixed this problem for me at this time, but the time a user chooses such a strange password I would have to edit the table again. So in my opinion the {SCHEME}-prefix is not a useful thing. Why would anyone need it, anyway? Shouldn't all passwords have the same scheme which is set in the dovecot.conf file once?
If the feature is indeed used: with a database lookup it should be replaced by an optional database field or, if that's not possible, it should be possible to disable this feature from the config file.
Frank
Regardless of how secure your password file/database might be, it seems like a bad idea to enter users' passwords in plain text. Use something else. With the other schemes it's at least a huge annoyance for an attacker to recover a password. But, you can still easily set the passwords to known values as an administrator. (That's the whole point of a one-way hash like 'crypt' or 'MD5'.)
Best, Ben
participants (4)
-
Benjamin R. Haskell
-
Frank Kintrup
-
Przemyslaw Wegrzyn
-
Timo Sirainen