Hi,
From what I understood from the archive and from my tests, we cannot have multiple passwords for a given account. (I get the error: Password query returned multiple matches) But it looks like it can be done via a PAM module. Does anyone succeeded setup multiple password with PAM or any other method with a SQL backend ?
Regards,
Aubry
On 26/07/2024 17:57 EEST Aubry via dovecot dovecot@dovecot.org wrote:
Hi,
From what I understood from the archive and from my tests, we cannot have multiple passwords for a given account. (I get the error: Password query returned multiple matches) But it looks like it can be done via a PAM module. Does anyone succeeded setup multiple password with PAM or any other method with a SQL backend ?
Regards,
Aubry
In a pinch, you could use lua passdb. Just remember to set it as blocking. see https://doc.dovecot.org/configuration_manual/authentication/lua_based_authen...
Aki
Aki
Hi,
On 2024/07/26 17:31, Aki Tuomi via dovecot wrote:
On 26/07/2024 17:57 EEST Aubry via dovecot dovecot@dovecot.org wrote:
Hi,
From what I understood from the archive and from my tests, we cannot have multiple passwords for a given account. (I get the error: Password query returned multiple matches) But it looks like it can be done via a PAM module. Does anyone succeeded setup multiple password with PAM or any other method with a SQL backend ?
We don't do multiple passwords, but in theory you could by passing the password to the query such that the query can determine which (if any) password to return :).
Kind regards, Jaco
On 28/07/24 00:49, Jaco Kroon via dovecot wrote:
From what I understood from the archive and from my tests, we cannot have multiple passwords for a given account. (I get the error: Password query returned multiple matches) But it looks like it can be done via a PAM module. Does anyone succeeded setup multiple password with PAM or any other method with a SQL backend ?
We don't do multiple passwords, but in theory you could by passing the password to the query such that the query can determine which (if any) password to return :).
Indeed using the method documented here you should be able to do exactly that:
https://doc.dovecot.org/configuration_manual/authentication/sql/#password-ve...
This should work with password hashes as well so long as your SQL server has an appropriate function to generate the hash from the passed password (%w) and then compare it to the stored hash.
Peter
Thank you for your answer.
I tried it and it works that way.
Cheers
Aubry
On Wed, 2024-08-14 at 18:08 +1200, Peter via dovecot wrote:
On 28/07/24 00:49, Jaco Kroon via dovecot wrote:
From what I understood from the archive and from my tests, we cannot have multiple passwords for a given account. (I get the error: Password query returned multiple matches) But it looks like it can be done via a PAM module. Does anyone succeeded setup multiple password with PAM or any other method with a SQL backend ?
We don't do multiple passwords, but in theory you could by passing the password to the query such that the query can determine which (if any) password to return :).
Indeed using the method documented here you should be able to do exactly that:
https://doc.dovecot.org/configuration_manual/authentication/sql/#password-ve...
This should work with password hashes as well so long as your SQL server has an appropriate function to generate the hash from the passed password (%w) and then compare it to the stored hash.
Peter
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
Hello @Aubry You are correct that multiple passwords for a single account can be tricky with standard setups, as you have encountered the multiple matches error; Using a PAM module could be a solution as it might allow for handling multiple passwords more flexibly.
Hello @Aubry according to me you can potentially configure custom modules to handle multiple passwords but this requires some advanced setup and scripting. You can consider this Custom PAM Modules Alternate Authentication Methods Consult Documentation and Forums
I did this using SQL database (MySQL) as I wanted to have roundcube webmail with 2FA, but use separate passwords for clients connecting to imap/submission directly. Otherwise, 2FA on only roundcube is a bit pointless if the same credentials can still be used via IMAP without 2FA.
I was inspired by the roundcube ap4rc plugin[1], but it requires a separate username to be created for each device and was kinda awkward to use in practice.
I forked it and added some new username formats: "Format 2" is the email address or same username everywhere.
The key part of it is the Dovecot Auth/SQL dict config:-
https://github.com/listerr/ap4rc/blob/main/README_DOVECOT.md#auth-config-exa...
The example under format 2 first tries the username/pw in a static passwd file for use with roundcube only, then if this fails, try looking it up in sql for the application specific passwords.
In reality I use SQL for both rather than static file, the SQL query is a bit more complicated.
[1] https://github.com/openSUSE/ap4rc
On 2024-07-26 15:57, Aubry via dovecot wrote:
Hi,
From what I understood from the archive and from my tests, we cannot have multiple passwords for a given account. (I get the error: Password query returned multiple matches) But it looks like it can be done via a PAM module. Does anyone succeeded setup multiple password with PAM or any other method with a SQL backend ?
-- Rob Lister rob@lonap.net +44 20 3137 8330
participants (6)
-
Aki Tuomi
-
Aubry
-
Jaco Kroon
-
leoniemeeyr@gmail.com
-
Peter
-
Rob Lister