[Dovecot] Digest-MD5 and GSSAPI not working in beta3

Casey Allen Shobe lists at seattleserver.com
Fri Feb 24 16:49:22 EET 2006 

On Friday 24 February 2006 13:41, Timo Sirainen wrote:
> On Fri, 2006-02-24 at 13:19 +0000, Casey Allen Shobe wrote:
> > auth(default): digest-md5(kc at xxxx.com,71.113.119.162): password mismatch
>
> Set auth_debug_passwords=yes and see what it prints.

FWIW, I tried that first without the patch you sent before.  Then I saw the 
realm problem:

auth(default): client in: 
AUTH_1_DIGEST-MD5_service=IMAP_lip=205.234.78.135_rip=71.113.119.162
auth(default): client out: 
CONT_1_bm9uY2U9IjRjcUQvRjZhUzJ6UVY3ZGpvSElSMVE9PSIscW9wPSJhdXRoIixjaGFyc2V0PSJ1dGYtOCIsYWxnb3JpdGhtPSJtZDUtc2VzcyI=
auth(default): client in: 
CONT_1_dXNlcm5hbWU9ImtjQHNrOHJsYW5kLmNvbSIscmVhbG09ImltYXAuc2s4cmxhbmQuY29tIixub25jZT0iNGNxRC9GNmFTMnpRVjdkam9ISVIxUT09Iixjbm9uY2U9Inh0bFFKa2oycHYvYVQvd3JFT2hUMnpDN3Y5empHWXlHZ0JvQ0lYMCs1aGs9IixuYz0wMDAwMDAwMSxxb3A9YXV0aCxkaWdlc3QtdXJpPSJpbWFwL2ltYXAuc2s4cmxhbmQuY29tIixyZXNwb25zZT01ZDNmNmFhOThiN2EyMmU5NDQ4ZmU3NTdiMTk4NzkwZA==
auth(default): digest-md5(?,71.113.119.162): Invalid realm
auth(default): client out: FAIL_1
imap-login: Disconnected: method=DIGEST-MD5, rip=71.113.119.162, 
lip=205.234.78.135

So I tried with the patched version, and see this:

auth(default): client in: 
AUTH_1_DIGEST-MD5_service=IMAP_lip=205.234.78.135_rip=71.113.119.162
auth(default): client out: 
CONT_1_cmVhbG09IiIsbm9uY2U9IkRWQm5MWXhsemxhLzBoSjF0RXdFc1E9PSIscW9wPSJhdXRoIixjaGFyc2V0PSJ1dGYtOCIsYWxnb3JpdGhtPSJtZDUtc2VzcyI=
auth(default): client in: 
CONT_1_dXNlcm5hbWU9ImtjQHNrOHJsYW5kLmNvbSIscmVhbG09IiIsbm9uY2U9IkRWQm5MWXhsemxhLzBoSjF0RXdFc1E9PSIsY25vbmNlPSJNNzFxaGgxbGRWNkFLb1UzM0d5Sk5XY1J2VnI5ak5jaFU1akQ4TUZkWHJRPSIsbmM9MDAwMDAwMDEscW9wPWF1dGgsZGlnZXN0LXVyaT0iaW1hcC9pbWFwLnNrOHJsYW5kLmNvbSIscmVzcG9uc2U9NTQ0OTE0OTNjOTIxOWY3ODQ1NDRhYTIwZTIxNjUyZjc=
auth(default): sql(kc at sk8rland.com,71.113.119.162): query: select "user", 
"password" from "users" where "user" = 'kc at sk8rland.com'
auth(default): digest-md5(kc at sk8rland.com,71.113.119.162): password mismatch
auth(default): client out: FAIL_1_user=kc at sk8rland.com
imap-login: Disconnected: user=<kc at sk8rland.com>, method=DIGEST-MD5, 
rip=71.113.119.162, lip=205.234.78.135

> You could also try manually to get the crypted password and see why it goes
> wrong: 
> dovecotpw -u kc at xxxx.com -s digest-md5

# dovecotpw -u kc at sk8rland.com -s digest-md5
Enter new password: <type my password here>
Retype new password: <type my password here>
{DIGEST-MD5}bc077aef5e9d4a3527e9d21a7d527802

> If that doesn't print the same value as what you see in logs, try with
> -u kc.

Erm, I'm not sure what to look for in the logs, so what the hey:

# dovecotpw -u kc -s digest-md5
Enter new password:
Retype new password:
{DIGEST-MD5}8ac1882cb154c9c59bfa38111abf8316

> This is because with Digest-MD5 the password has is built from both
> username and password, and they both must match exactly. Hmm. Now that I
> think of it, this breaks aliases. I guess I'll fix this also. Patch
> included in attachment, does this help either?

With new patch, got this:

auth(default): client in: 
AUTH_1_DIGEST-MD5_service=IMAP_lip=205.234.78.135_rip=71.113.119.162
auth(default): client out: 
CONT_1_cmVhbG09IiIsbm9uY2U9IkdmSytqOHJPbVU1aUJJYWo5ZEMwMXc9PSIscW9wPSJhdXRoIixjaGFyc2V0PSJ1dGYtOCIsYWxnb3JpdGhtPSJtZDUtc2VzcyI=
auth(default): client in: 
CONT_1_dXNlcm5hbWU9ImtjQHNrOHJsYW5kLmNvbSIscmVhbG09IiIsbm9uY2U9IkdmSytqOHJPbVU1aUJJYWo5ZEMwMXc9PSIsY25vbmNlPSJHNVpvY1J6eVRPYnprSXpHM0pSNEh1c2hXV2hvN29qUUduNDV2K0MzZnZjPSIsbmM9MDAwMDAwMDEscW9wPWF1dGgsZGlnZXN0LXVyaT0iaW1hcC9pbWFwLnNrOHJsYW5kLmNvbSIscmVzcG9uc2U9MzJmYzhmYjdiNWZmODk1ODkwZDIxNDUyZjZmYWM3MjI=
auth(default): sql(kc at sk8rland.com,71.113.119.162): query: select "user", 
"password" from "users" where "user" = 'kc at sk8rland.com'
auth(default): digest-md5(kc at sk8rland.com,71.113.119.162): password mismatch
auth(default): client out: FAIL_1_user=kc at sk8rland.com
imap-login: Disconnected: user=<kc at sk8rland.com>, method=DIGEST-MD5, 
rip=71.113.119.162, lip=205.234.78.135


> So it's not even trying to log in with GSSAPI. You did add it to
> mechanisms list, right? And it gets advertised in Dovecot's capability
> reply?

Connected to a.mx.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 SORT THREAD=REFERENCES MULTIAPPEND UNSELECT 
LITERAL+ IDLE CHILDREN NAMESPACE LOGIN-REFERRALS STARTTLS AUTH=PLAIN 
AUTH=LOGIN AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=NTLM AUTH=GSSAPI] 
SeattleServer.com IMAP ready.
2 capability
* CAPABILITY IMAP4rev1 SORT THREAD=REFERENCES MULTIAPPEND UNSELECT LITERAL+ 
IDLE CHILDREN NAMESPACE LOGIN-REFERRALS STARTTLS AUTH=PLAIN AUTH=LOGIN 
AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=NTLM AUTH=GSSAPI
2 OK Capability completed.

root at patos.seattleserver.com:/home/root/dovecot-1.0.beta3
# grep 'mechanisms =' /etc/dovecot.conf
  mechanisms = plain login digest-md5 cram-md5 ntlm gssapi

-- 
Casey Allen Shobe | cshobe at seattleserver.com | 206-381-2800
SeattleServer.com, Inc. | http://www.seattleserver.com

More information about the dovecot mailing list