[Dovecot] Authentication cache, failure to login after changed password

Tom Sommer mail at tomsommer.dk
Tue Jan 20 16:40:20 EET 2009


Timo Sirainen wrote:
> On Tue, 2009-01-20 at 09:53 +0100, Tom Sommer wrote:
>   
>> sql(user at example.com,127.0.0.1): query: SELECT username as user, 
>> plainpassword as password, nopassword FROM cyrususers WHERE username = 
>> 'user at example.com' AND password = PASSWORD('SECRET') AND active = 1
>> dovecot: Jan 20 09:01:18 Info: auth-worker(default): 
>> sql(user at example.com,127.0.0.1): unknown user
>>     
> ..
>   
>> It appears the user missed the cache, a SQL lookup is performed (which 
>> returns 1 record, I tested the query directly) - however for some reason 
>> the lookup is set as Unknown User, a state which it then keeps. 
>>     
>
> It's most likely set to unknown user because the password=PASSWORD()
> check fails and no rows are returned. If you're already returning
> plainpassword for Dovecot, why do you do the password check also in the
> SQL query? That doesn't allow Dovecot to differentiate between unknown
> user and invalid password.
>   
No I ran the query manually afterwards and it returned 1 row.
The reason I'm using plainpassword, PASSWORD() and nopassword, etc. is 
because not all users have a plainpassword - yet - as time progress more 
and more users will return plainpassword and nopassword=NULL

That's how you fix design flaws without forcing all users to change 
passwords :)

auth_cache_negative_ttl seems like a good source for user flaws (login attempt before account is created = you cant log in for 3600 seconds even after the account is valid), gonna go with 0 on all servers.

Thanks
--
Tom Sommer


More information about the dovecot mailing list