Tip: update dovecot MD5 password from PAM
This is a PAM module that listens for password changes, and will update the MD5 password for a user, in a file that dovecot can read, when the user's password is changed: https://github.com/steinarb/pam_dovecotmd5pwd
Caveat emptor! (Works for me...! :-) )
On 2017-03-25 17:54, Steinar Bang wrote:
This is a PAM module that listens for password changes, and will update the MD5 password for a user, in a file that dovecot can read, when the user's password is changed: https://github.com/steinarb/pam_dovecotmd5pwd
Caveat emptor! (Works for me...! :-) )
Maybe you could update the PAM module to upgrade user's passwords to something safer than MD5? Like SSHA515 or CRYPT-SHA512? =)
Aki
Aki Tuomi aki.tuomi@dovecot.fi:
On 2017-03-25 17:54, Steinar Bang wrote:
This is a PAM module that listens for password changes, and will update the MD5 password for a user, in a file that dovecot can read, when the user's password is changed: https://github.com/steinarb/pam_dovecotmd5pwd
Caveat emptor! (Works for me...! :-) )
Maybe you could update the PAM module to upgrade user's passwords to something safer than MD5? Like SSHA515 or CRYPT-SHA512? =)
Is it possible to do CRAM[1] with any of these encryption methods? And, if so: are these encryption methods widely supported by clients?
The essential part for me was to have something widely supported by clients, where the password isn't transferred over the wire as part of the authentication
The last time I looked cram-md5 was the only candidate for not transferring the password in cleartext during authentication (and with dovecot cram-md5 requires a special passwd file, which is why I wrote this pam module in the first place).
References: [1] https://en.wikipedia.org/wiki/Challenge–response_authentication
On March 26, 2017 at 2:24 PM Steinar Bang sb@dod.no wrote:
Aki Tuomi aki.tuomi@dovecot.fi:
On 2017-03-25 17:54, Steinar Bang wrote:
This is a PAM module that listens for password changes, and will update the MD5 password for a user, in a file that dovecot can read, when the user's password is changed: https://github.com/steinarb/pam_dovecotmd5pwd
Caveat emptor! (Works for me...! :-) )
Maybe you could update the PAM module to upgrade user's passwords to something safer than MD5? Like SSHA515 or CRYPT-SHA512? =)
Is it possible to do CRAM[1] with any of these encryption methods? And, if so: are these encryption methods widely supported by clients?
The essential part for me was to have something widely supported by clients, where the password isn't transferred over the wire as part of the authentication
The last time I looked cram-md5 was the only candidate for not transferring the password in cleartext during authentication (and with dovecot cram-md5 requires a special passwd file, which is why I wrote this pam module in the first place).
References: [1] https://en.wikipedia.org/wiki/Challenge–response_authentication
Is there some reason you cannot protect your users with TLS/SSL? Using CRAM-MD5 is not very secure option, since you have to store the password in clear text. Plain MD5 is almost plaintext these days.
Aki
Aki Tuomi aki.tuomi@dovecot.fi:
Is there some reason you cannot protect your users with TLS/SSL?
I do use SSL. I don't understand what that have to do with the preference of CRAM-MD5 over plain text auth?
Using CRAM-MD5 is not very secure option, since you have to store the password in clear text. Plain MD5 is almost plaintext these days.
I worry less about the security of a password stored in a local file compared to the security of transferring the same password in cleartext over the wire, SSL or not.
As for alternatives, google found me SCRAM-SHA-1[1] which is supported by dovecot[2], but google couldn't find me any imap clients supporting it.
Kerberos (also listed among the alternatives) would have been really neat, unfortunately private networks and NATing breaks things for Kerberos... maybe IPv6 will revitalize Kerberos...? One can hope.
References: [1] https://en.wikipedia.org/wiki/Salted_Challenge_Response_Authentication_Mecha... [2] http://wiki2.dovecot.org/Authentication/Mechanisms#Non-plaintext_authenticat...
Am 26.03.2017 um 19:22 schrieb Steinar Bang:
I worry less about the security of a password stored in a local file compared to the security of transferring the same password in cleartext over the wire, SSL or not.
A TLS secured communication ensures that authentication credentials aren't transmitted in plaintext, even if the SASL mechanism is PLAIN. So ensure that the certificates are validated and secure ciphers are used and you are on the safe side.
Why would you discredit TLS/SSL? That's not rational.
Basically it is bad practice to store credentials in plaintext on a server. Thus shared secret mechanism like CRAM-MD5 are not really a good choice.
Alexander
It is a jolly bad idea to use the same password for both email and system access.
On TLS+plaintext, if your passwords are slurped by a python script, all accounts are compromised. Congratulations, the NSA will love you. On the other side of the ocean, however, there are European states where you must disclose the fact, or go to jail.
(I tried to protect dovecot passwords with bcrypt, but the mail clients refused it.)
Sent from ProtonMail Mobile
On 27.03.2017 01:13, Ruga wrote:
It is a jolly bad idea to use the same password for both email and system access.
On TLS+plaintext, if your passwords are slurped by a python script, all accounts are compromised. Congratulations, the NSA will love you. On the other side of the ocean, however, there are European states where you must disclose the fact, or go to jail.
(I tried to protect dovecot passwords with bcrypt, but the mail clients refused it.)
Uh, what? Mail clients do not see how you are storing passwords locally.
Sent from ProtonMail Mobile
Aki
Right. But that's what I experienced.
The next experiment is sheduled in two weeks... I will keep notes and logs for you.
Sent from ProtonMail Mobile
On Mon, Mar 27, 2017 at 2:21 PM, Aki Tuomi aki.tuomi@dovecot.fi wrote:
On 27.03.2017 01:13, Ruga wrote:
It is a jolly bad idea to use the same password for both email and system access.
On TLS+plaintext, if your passwords are slurped by a python script, all accounts are compromised. Congratulations, the NSA will love you. On the other side of the ocean, however, there are European states where you must disclose the fact, or go to jail.
(I tried to protect dovecot passwords with bcrypt, but the mail clients refused it.)
Uh, what? Mail clients do not see how you are storing passwords locally.
Sent from ProtonMail Mobile
Aki
This is nonsense. You made a mistake in your configuration.
Before you try again next time, you should probably discuss your plan with the list to make sure you're on the right track.
Good luck,
Doug
On 03/26/2017 03:13 PM, Ruga wrote:
(I tried to protect dovecot passwords with bcrypt, but the mail clients refused it.)
participants (5)
-
Aki Tuomi
-
Alexander Dalloz
-
Doug Barton
-
Ruga
-
Steinar Bang