[Dovecot] Problem with passwords surrounded by curly braces

Timo Sirainen tss at iki.fi
Tue Jan 8 04:05:34 EET 2008


On Mon, 2008-01-07 at 23:59 +0100, Frank Kintrup wrote:
> Manually altering the users password in the database to "{PLAIN}xxxx"
> (where "xxxx" is the user's password WITH curly braces) fixed this problem
> for me at this time, but the time a user chooses such a strange password
> I would have to edit the table again. So in my opinion the {SCHEME}-prefix
> is not a useful thing. Why would anyone need it, anyway? Shouldn't all
> passwords have the same scheme which is set in the dovecot.conf file once?

Often they are, but there are installations which use multiple schemes.
For example otherwise it would be pretty much impossible to change a
scheme for an existing installation.

> If the feature is indeed used: with a database lookup it should be
> replaced by an optional database field or, if that's not possible, it
> should be possible to disable this feature from the config file.

It's possible since v1.0.8. I guess I should write about this to wiki as
well:

	+ Authentication: Added "password_noscheme" field that can be used
	  instead of "password". "password" treats "{prefix}" as a password
	  scheme while "password_noscheme" treats it as part of the password
	  itself. So "password_noscheme" should be used if you're storing
	  passwords as plaintext. Non-plaintext passwords never begin
	  with "{", so this isn't a problem with them.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20080108/55b7ec27/attachment.bin 


More information about the dovecot mailing list