[Dovecot] Very Complex Master Password Challenge
This might require adding some new code to Dovecot to pull this off. But it would be extremely powerful if I could get this to work. Here's the situation.
Having a master password is great for helping users and doing tech support. But - suppose I'm hosting many domains and I want to create master passwords for each domain separately so that the owners of the domain can log in as any user within that domain?
Here's the way I have things set up. I have a directory of passwd/shadow pairs for each domain as follows:
/etc/vmail/passwd.domain1.com /etc/vmail/shadow.domain1.com /etc/vmail/passwd.domain2.com /etc/vmail/shadow.domain2.com
Additionally I have a master domain used for management of the other domains. The master domain is an email account for each domain under the domain junkemailfilter.net.
domain1.com@junkemailfilter.net domain2.com@junkemailfilter.net
The password and shadow files are like the others:
/etc/vmail/passwd.junkemailfilter.net /etc/vmail/shadow.junkemailfilter.net
So - the idea is that the owners of the domain have access to the email accounts on junkemailfilter.net and what I'm hoping to do is that they can use this as the master password for their domain only. Example:
domain1.com@junkemailfilter.net domain2.com@junkemailfilter.net
I suppose that the master password feature needs another new feature to limit the scope of what it is allowed to be a master password for. Something perhaps like:
passdb passwd-file { # Path for passwd-file args = /etc/vmail/shadow.junkemailfilter.net master = yes scope = *@%u }
In the above example "%u" is the user part of the master password. So that that master user would be for example "domain1.com@junkemailfilter.net" and it would be the master password only for users of domain1.com and not domain2.com.
So - if you can follow this - then you will see that this would be a really cool feature to have. And - I'm guessing that it might be easy to implement.
On Wed, 2006-04-12 at 16:16 -0700, Marc Perkel wrote:
Having a master password is great for helping users and doing tech support. But - suppose I'm hosting many domains and I want to create master passwords for each domain separately so that the owners of the domain can log in as any user within that domain?
How about if you used checkpassword as passdb? You can build your own script which checks the authentication databases and checks that the master user is valid. Dovecot gives the master user to checkpassword via MASTER_USER environment.
As for a more complex solution, I don't think it'll happen until more people start bugging me about it, and even then not before v1.0 :)
participants (2)
-
Marc Perkel
-
Timo Sirainen