Password database - external verification
Hi all,
I'm currently using a PostgreSQL database for my user/password db, directly from dovecot. The trouble with that is that I'm stuck with whatever hash algorithms dovecot supports - which IIRC means (a subset of?) what libc has been compiled with, which can be a bit restrictive.
So I'd like to use an external tool, which would also let me integrate other applications (eg web apps).
PAM seems to be most suited to sharing accounts with the OS, which isn't what I want.
BSDAuth likewise, but I'm not using BSD.
CheckPassword looks like a somewhat convoluted protocol, but maybe the best bet?
IMAP - well, that's circular :-)
OAuth2 looks possible, but seems to be focused on http?
Any suggestions? And recommended implementations?
How hard is it to add extra methods?
Thanks, Richard
On 10/05/19 10:10 AM, Richard Hector via dovecot wrote:
Hi all,
I'm currently using a PostgreSQL database for my user/password db, directly from dovecot. The trouble with that is that I'm stuck with whatever hash algorithms dovecot supports - which IIRC means (a subset of?) what libc has been compiled with, which can be a bit restrictive.
So I'd like to use an external tool, which would also let me integrate other applications (eg web apps).
PAM seems to be most suited to sharing accounts with the OS, which isn't what I want.
BSDAuth likewise, but I'm not using BSD.
CheckPassword looks like a somewhat convoluted protocol, but maybe the best bet?
IMAP - well, that's circular :-)
OAuth2 looks possible, but seems to be focused on http?
Any suggestions? And recommended implementations?
How hard is it to add extra methods?
No tips?
Are my requirements/preferences quite unusual?
Am I asking a silly question?
Am I misunderstanding/exaggerating the limitations of dovecot's/libc's algorithms?
Thanks, Richard
On 16.5.2019 4.43, Richard Hector via dovecot wrote:
On 10/05/19 10:10 AM, Richard Hector via dovecot wrote:
Hi all,
I'm currently using a PostgreSQL database for my user/password db, directly from dovecot. The trouble with that is that I'm stuck with whatever hash algorithms dovecot supports - which IIRC means (a subset of?) what libc has been compiled with, which can be a bit restrictive.
In 2.3 you can choose also BLF-CRYPT (bcrypt) and if compiled with, you can also use ARGON2. So you are not limited with glibc only.
So I'd like to use an external tool, which would also let me integrate other applications (eg web apps).
PAM seems to be most suited to sharing accounts with the OS, which isn't what I want.
BSDAuth likewise, but I'm not using BSD.
CheckPassword looks like a somewhat convoluted protocol, but maybe the best bet?
IMAP - well, that's circular :-)
OAuth2 looks possible, but seems to be focused on http?
Any suggestions? And recommended implementations?
How hard is it to add extra methods?
LDAP is most often used by customers. oauth2 requires client-side support too, although since 2.3.6 you can also use oauth2 with "password grant". You can use LUA passdb if you really need something exotic, although then you need to write your own.
Aki
No tips?
Are my requirements/preferences quite unusual?
Am I asking a silly question?
Am I misunderstanding/exaggerating the limitations of dovecot's/libc's algorithms?
Thanks, Richard
participants (2)
-
Aki Tuomi
-
Richard Hector