[Dovecot] Strange error: DIGEST-MD5 mechanism can't be supported with given passdbs

Liu Yubao yubao.liu at gmail.com
Tue Jan 10 08:58:37 EET 2012 

On Tue, Jan 10, 2012 at 2:59 AM, Timo Sirainen <tss at iki.fi> wrote:
> On 7.1.2012, at 5.36, Yubao Liu wrote:
>
>> In old version,  "auth->passdbs" contains all passdbs, this revision
>> changes "auth->passdbs" to only contain non-master passdbs.
>>
>> I'm not sure which fix is better or even my proposal is correct or fully:
>>  a) in src/auth/auth.c:auth_passdb_preinit(), insert master passdb to
>>      auth->passdbs too,  and remove duplicate code for masterdbs
>>      in auth_init() and auth_deinit().
>
> Not a good idea. The master passdb needs to be treated specially, otherwise you might accidentally allow regular users logging in as other users.
>

Sorry I don't understand well.  This scheme adds all master dbs to
auth->passdbs,  auth->masterdbs
are not changed and still contains only master users. I guess dovecot
lookups auth->masterdbs for master users
and auth->passdbs for regular users,  regular users don't know master
users' passwords so they can't login
as other users.

http://wiki2.dovecot.org/Authentication/MasterUsers
The "Example configuration" already shows master user account can be
added to auth->passdbs too.

This scheme does bring unexpected issue, the master users can't have
separate passwords for regular login
as themselves(because masterdbs are also added to passdbs), the risk
of password leak increases much,
but I don't think it's a good practice to do regular login with master
user account.

Quoted from same wiki page(I really enjoy the wonderful Dovecot wiki,
it's the most well organized
and documented wiki in open source projects, thank you very much!):
     "If you want master users to be able to log in as themselves,
you'll need to either add
      the user to the normal passdb or add the passdb to dovecot.conf
twice, with and
      without master=yes. Note that if the passdbs point to different
locations, the user
      can have a different password when logging in as other users
than when logging in
      as himself. This is a good idea since it can avoid accidentally
logging in as someone else. "

Anyway,  the scheme B is much less risky and much simple, just a
little annoying code duplication:-)

>>  b) add similar code for masterdbs in auth_passdb_list_have_verify_plain(),
>>      auth_passdb_list_have_lookup_credentials(), auth_passdb_list_have_set_credentials().
>
> Kind of annoying code duplication, but .. I guess it can't really be helped. Added:
> http://hg.dovecot.org/dovecot-2.0/rev/bed15faedfd4
>

Thank you very much,  I don't have to maintain my private package:-)

>> Another related question is "pass" option in master passdb, if I set it to "yes",
>> the authentication fails:
> ..
>> My normal passdb is a PAM passdb,  it doesn't support credential lookups, that's
>> reasonable,
>
> Right.
>
>> but I feel the comment for "pass" option is confusing:
>>
>>  # Unless you're using PAM, you probably still want the destination user to
>>  # be looked up from passdb that it really exists. pass=yes does that.
>>  pass = yes
>> }
>>
>> According the comment, it's to check whether the real user exists, why not
>> to check userdb but another passdb?
>
> Well.. It is going to check userdb eventually anyway, so it would still fail, just a bit later and maybe with different error message.

If Dovecot doesn't check password for the real user against passdb
(actually it doesn't
have the password of real user because it's doing master user proxy
authorization),  it
won't fail on userdb lookup because the userdb does contain the real
user,  in my case,
the real user is system user and absolutely exists.

>
>> Even it must check against passdb,
>> in this case, it's obvious not necessary to lookup credentials, it's enough to
>> to lookup user name only.
>
> There's currently no passdb that supports "does user exist?" lookup, but doesn't support credentials lookup, so this is more of a theoretical issue. (I guess maybe PAM could be abused in some configurations to do the check, but that's rather ugly..)

I don't understand why master user proxy authorization in Dovecot has
to check real user against
his credential, does that mean "user*master" has to authenticate
twice? one for master, one for user,
but often client can't provide two passwords in single login and the
regular passdb such as
PAM passdb doesn't support credentials lookup.  So I feel it's better
Dovecot checks only destination
user names in passdbs or userdbs after master user authentication part
succeeds to decide
whether the destination user exists,  just as the comment for
"pass=yes" describes.

This may not be a bug, IMHO just a confusing feature.

Regards,
Yubao Liu

More information about the dovecot mailing list