[Dovecot] Weird Authentication behaviour
Gedalya
gedalya at gedalya.net
Mon Mar 24 11:47:24 UTC 2014
On 03/24/2014 07:34 AM, Jürgen Ladstätter wrote:
> Hi guys,
>
>
>
> we use dovecot 2.0.9 and authentication against a mysql database. Everything
> works fine, but we found some weird behavior – when the password is e.g.
> “testpass” you also authenticate successfully with “testpass123” or
> “testpassNOT”. Whatever comes after the correct password doesn’t matter, the
> authentication is still successful.
..
> default_pass_scheme = CRYPT
>
http://wiki2.dovecot.org/Authentication/PasswordSchemes --
CRYPT: Traditional DES-crypted password in /etc/passwd (e.g. "pass" =
vpvKh.SaNbR6s)
Dovecot uses libc's crypt() function, which means that CRYPT is usually
able to recognize MD5-CRYPT and possibly also other password schemes.
See all of the *-CRYPT schemes at the top of this page.
>>>>>>>
*The traditional DES-crypt scheme only uses the first 8 characters of
the password, the rest are ignored.* Other schemes may have other
password length limitations (if they limit the password length at all).
More information about the dovecot
mailing list