[Dovecot] [PATCH] support master user to login as other users by DIGEST-MD5 SASL proxy authorization

Yubao Liu yubao.liu at gmail.com
Sat Jan 14 15:49:31 EET 2012 

Hi Timo,

As http://wiki2.dovecot.org/Authentication/MasterUsers states, currently
the first way for master users to log in as other users only supports 
PLAIN SASL
mechanism, and because DIGEST-MD5 uses user name to calculate MD5 digest,
the second way can't support DIGEST-MD5.

I enhance the code to support DIGEST-MD5 too for the first way, please 
review
the attached patch against dovecot-2.0 HG tip.  The patch also contains 
a little
fix to "nonce-count" string, RFC 2831 shows it should be "nc".

I tested it on Debian Wheezy, it seems OK. Below are my verification steps.

(Debian packaged 2.0.15 + 
http://hg.dovecot.org/dovecot-2.0/rev/bed15faedfd4 + attached patch)

$ doveconf -n
# 2.0.15: /etc/dovecot/dovecot.conf
# OS: Linux 3.1.0-1-686-pae i686 Debian wheezy/sid
auth_default_realm = corp.example.com
auth_krb5_keytab = /etc/dovecot.keytab
auth_master_user_separator = *
auth_mechanisms = gssapi digest-md5 cram-md5
auth_realms = corp.example.com
auth_username_format = %n
first_valid_gid = 1000
first_valid_uid = 1000
mail_location = mdbox:/srv/mail/%u/Mail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope 
encoded-character vacation subaddress comparator-i;ascii-numeric 
relational regex imap4flags copy include variables body enotify 
environment mailbox date ihave
passdb {
   args = /etc/dovecot/master-users
   driver = passwd-file
   master = yes
}
passdb {
   driver = pam
}
plugin {
   sieve = /srv/mail/%u/.dovecot.sieve
   sieve_dir = /srv/mail/%u/sieve
}
protocols = " imap lmtp sieve"
service auth {
   unix_listener auth-client {
     group = Debian-exim
     mode = 0660
   }
}
ssl_cert = </etc/ssl/certs/dovecot.pem
ssl_key = </etc/ssl/private/dovecot.pem
userdb {
   args = home=/srv/mail/%u
   driver = passwd
}
protocol lmtp {
   mail_plugins = " sieve"
}
protocol lda {
   mail_plugins = " sieve"
}

$ grep webmail2 /etc/dovecot/master-users
webmail2:{DIGEST-MD5}458af98b24dce5db79f852d146d5a5ca

$ gsasl -m DIGEST-MD5 --imap imap.corp.example.com -z dieken -a webmail2 
-p 123456 -r corp.example.com
Trying `gold.corp.example.com'...
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE 
IDLE STARTTLS LOGINDISABLED AUTH=GSSAPI AUTH=DIGEST-MD5 AUTH=CRAM-MD5] 
Dovecot ready.
. CAPABILITY
* CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE 
STARTTLS LOGINDISABLED AUTH=GSSAPI AUTH=DIGEST-MD5 AUTH=CRAM-MD5
. OK Pre-login capabilities listed, post-login capabilities have more.
. STARTTLS
. OK Begin TLS negotiation now.
. CAPABILITY
* CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE 
AUTH=GSSAPI AUTH=DIGEST-MD5 AUTH=CRAM-MD5
. OK Pre-login capabilities listed, post-login capabilities have more.
. AUTHENTICATE DIGEST-MD5
+ 
cmVhbG09ImNvcnAuZXhhbXBsZS5jb20iLG5vbmNlPSI2Y0tvRWpoRkREQVpsRHM4Q05QTUx3PT0iLHFvcD0iYXV0aCIsY2hhcnNldD0idXRmLTgiLGFsZ29yaXRobT0ibWQ1LXNlc3Mi
Enter quality of protection (optional, e.g. 'qop-int'):
dXNlcm5hbWU9IndlYm1haWwyIiwgcmVhbG09ImNvcnAuZXhhbXBsZS5jb20iLCBub25jZT0iNmNLb0VqaEZEREFabERzOENOUE1Mdz09IiwgY25vbmNlPSJIUUZKQy9VbnFSb3lGb3orTWpOY2hnPT0iLCBuYz0wMDAwMDAwMSwgcW9wPWF1dGgsIGRpZ2VzdC11cmk9ImltYXAvaW1hcC5jb3JwLmV4YW1wbGUuY29tIiwgcmVzcG9uc2U9NjU0MTQ0NzM5MTFhNjNlMjE4ZDJmZjc0NmNjZjk0MjUsIGNoYXJzZXQ9dXRmLTgsIGF1dGh6aWQ9ImRpZWtlbiI=
+ cnNwYXV0aD04ZTNiZmZhMmNhOWM4YzczODU3Zjc2OWZiOGRlMTU3MQ==

* CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE 
SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT 
CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC 
ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS
Client authentication finished (server trusted)...
Enter application data (EOF to finish):
Session finished...
. LOGOUT
. OK Logged in
* BYE Logging out

$ sudo tail -f 30 /var/log/mail.log
....
Jan 14 20:35:30 gold dovecot: auth: Debug: client in: 
AUTH#0111#011DIGEST-MD5#011service=imap#011secured#011lip=127.0.1.1#011rip=127.0.0.1#011lport=143#011rport=54455
Jan 14 20:35:30 gold dovecot: auth: Debug: client out: 
CONT#0111#011cmVhbG09ImNvcnAuZXhhbXBsZS5jb20iLG5vbmNlPSJsQzM0dlQ3QkxUOHdlc2VOOWIybzhnPT0iLHFvcD0iYXV0aCIsY2hhcnNldD0idXRmLTgiLGFsZ29yaXRobT0ibWQ1LXNlc3Mi
Jan 14 20:35:32 gold dovecot: auth: Debug: client in: 
CONT#0111#011dXNlcm5hbWU9IndlYm1haWwyIiwgcmVhbG09ImNvcnAuZXhhbXBsZS5jb20iLCBub25jZT0ibEMzNHZUN0JMVDh3ZXNlTjliMm84Zz09IiwgY25vbmNlPSJQOTFta2VHZjFFS2kzQVgxMWVVT3FnPT0iLCBuYz0wMDAwMDAwMSwgcW9wPWF1dGgsIGRpZ2VzdC11cmk9ImltYXAvaW1hcC5jb3JwLmV4YW1wbGUuY29tIiwgcmVzcG9uc2U9OTllNzM2MDc0ZWE3YjE2NTE4NGQ3ZGVjY2E5ZGExNTgsIGNoYXJzZXQ9dXRmLTgsIGF1dGh6aWQ9ImRpZWtlbiI=
Jan 14 20:35:32 gold dovecot: auth: Debug: 
auth(webmail2,127.0.0.1,master): Master user lookup for login: dieken
Jan 14 20:35:32 gold dovecot: auth: Debug: 
passwd-file(webmail2,127.0.0.1,master): lookup: user=webmail2 
file=/etc/dovecot/master-users
Jan 14 20:35:32 gold dovecot: auth: passdb(webmail2,127.0.0.1,master): 
Master user logging in as dieken
Jan 14 20:35:32 gold dovecot: auth: Debug: password(dieken,127.0.0.1): 
Credentials: 458af98b24dce5db79f852d146d5a5ca
Jan 14 20:35:32 gold dovecot: auth: Debug: client out: 
CONT#0111#011cnNwYXV0aD04YmU5ZjFmN2UyMTRlMjI3MmY2YjEwMDU0YmYwNmMwZg==
Jan 14 20:35:32 gold dovecot: auth: Debug: client in: CONT#0111#011
Jan 14 20:35:32 gold dovecot: auth: Debug: client out: 
OK#0111#011user=dieken
Jan 14 20:35:32 gold dovecot: auth: Debug: master in: 
REQUEST#0112451832833#01115973#0111#011b7ff18971fd6967b00e2ea0ed2ef6278
Jan 14 20:35:32 gold dovecot: auth: Debug: passwd(dieken,127.0.0.1): lookup
Jan 14 20:35:32 gold dovecot: auth: Debug: master out: 
USER#0112451832833#011dieken#011home=/srv/mail/dieken#011system_groups_user=dieken#011uid=1000#011gid=1000#011master_user=webmail2
Jan 14 20:35:32 gold dovecot: imap-login: Login: user=<dieken>, 
method=DIGEST-MD5, rip=127.0.0.1, lip=127.0.1.1, mpid=15974, TLS
Jan 14 20:35:32 gold dovecot: imap: Debug: Added userdb setting: 
plugin/master_user=webmail2
Jan 14 20:35:32 gold dovecot: imap(dieken): Debug: Effective uid=1000, 
gid=1000, home=/srv/mail/dieken
Jan 14 20:35:32 gold dovecot: imap(dieken): Debug: fs: 
root=/srv/mail/dieken/Mail, index=, control=, inbox=, alt=
Jan 14 20:35:32 gold dovecot: imap(dieken): Debug: Namespace : Using 
permissions from /srv/mail/dieken/Mail: mode=0700 gid=-1
Jan 14 20:35:34 gold dovecot: imap(dieken): Disconnected: Logged out 
bytes=8/329
Jan 14 20:35:34 gold dovecot: imap-login: Warning: SSL alert: 
where=0x4008, ret=256: warning close notify [127.0.0.1]
Jan 14 21:04:50 gold dovecot: imap(dieken): Disconnected: Logged out 
bytes=131/533
Jan 14 21:33:59 gold dovecot: imap-login: Login: user=<dieken>, 
method=DIGEST-MD5, rip=127.0.0.1, lip=127.0.1.1, mpid=16114, TLS
Jan 14 21:34:03 gold dovecot: imap(dieken): Disconnected: Logged out 
bytes=8/329
Jan 14 21:36:56 gold dovecot: imap-login: Disconnected (no auth 
attempts): rip=127.0.0.1, lip=127.0.1.1
Jan 14 21:36:56 gold dovecot: imap-login: Disconnected (no auth 
attempts): rip=127.0.0.1, lip=127.0.1.1
Jan 14 21:36:58 gold dovecot: imap-login: Login: user=<dieken>, 
method=DIGEST-MD5, rip=127.0.0.1, lip=127.0.1.1, mpid=16135, TLS
Jan 14 21:37:00 gold dovecot: imap(dieken): Disconnected: Logged out 
bytes=10/377

Regards,
Yubao Liu

-------------- next part --------------
A non-text attachment was scrubbed...
Name: digest-md5-sasl-proxy-authorization.patch
Type: text/x-patch
Size: 2322 bytes
Desc: not available
URL: <http://dovecot.org/pipermail/dovecot/attachments/20120114/bedb0b7e/attachment-0002.bin>

More information about the dovecot mailing list