[Dovecot] Wrong credential caching

Ralf Hildebrandt Ralf.Hildebrandt at charite.de
Tue Jul 7 13:50:44 EEST 2009


A user logged in with a captial "L" for his username:

Jul  7 12:30:31 postamt dovecot: auth(default): cache(Loser,10.47.64.227): miss
Jul  7 12:30:31 postamt dovecot: auth(default): shadow(Loser,10.47.64.227): lookup
Jul  7 12:30:31 postamt dovecot: auth(default): shadow(Loser,10.47.64.227): unknown user
Jul  7 12:30:31 postamt dovecot: auth(default): cache(Loser,10.47.64.227): miss
Jul  7 12:30:31 postamt dovecot: auth-worker(default): pam(Loser,10.47.64.227): lookup service=dovecot
Jul  7 12:30:31 postamt dovecot: auth-worker(default): pam(Loser,10.47.64.227): #1/1 style=1 msg=Password: 
Jul  7 12:30:33 postamt dovecot: auth-worker(default): pam(Loser,10.47.64.227): unknown user

Then I told him that he's supposed to use an "l" instead of "L" but:

Jul  7 12:42:01 postamt dovecot: imap-login: Login: user=<loser>, method=PLAIN, rip=10.47.64.227, lip=141.42.4.250, TLS
Jul  7 12:42:02 postamt dovecot: auth(default): client in: ...
Jul  7 12:42:02 postamt dovecot: auth(default): cache(Loser,10.47.64.227): hit: 
Jul  7 12:42:02 postamt dovecot: auth(default): cache(Loser,10.47.64.227): User unknown
Jul  7 12:42:02 postamt dovecot: auth(default): cache(Loser,10.47.64.227): hit: 
Jul  7 12:42:02 postamt dovecot: auth(default): cache(Loser,10.47.64.227): User unknown
Jul  7 12:43:50 postamt dovecot: imap-login: Disconnected (auth failed, 1 attempts): user=<Loser>, method=PLAIN, rip=10.47.64.227, lip=141.42.4.250, TLS: Disconnected

I think the auth cache may work case-insensitive, thus making the
"User invalid" response for "Loser" also valid for "loser" (which is
the valid and correct username!)

-- 
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  ralf.hildebrandt at charite.de | http://www.charite.de
	    


More information about the dovecot mailing list