Disabling auth fallback to PAM

martin f krafft madduck at madduck.net
Sat Nov 21 06:12:13 UTC 2015

also sprach Timo Sirainen <tss at iki.fi> [2015-11-21 14:14 +1300]:
> Well, your topic is PAM.

Is it? My point is that PAM should not even be asked if an
authentication source beforehand knows about a user but the password
cannot be verified.

> But.. Right now passdb has result_success, result_failure and
> result_internalfail. I suppose it should be possible to add
> result_user_unknown there that defaults to result_failure if it's
> not explicitly set.

result_user_known should be resturned when the authentication source
does not know about a user.

If the authentication source knows a user but fails to authenticate
him/her due to a password mismatch, the result should rather be

Those two should really replace result_failure and the dovecot
authentication stack should only continue on result_user_known or
result_internalfail. If we get result_success or
result_auth_failure, then authentication is done and no further
sources should be considered.

@martinkrafft | http://madduck.net/ | http://two.sentenc.es/
only by counting could humans demonstrate
their independence of computers.
            -- douglas adams, "the hitchhiker's guide to the galaxy"
spamtraps: madduck.bogus at madduck.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: digital_signature_gpg.asc
Type: application/pgp-signature
Size: 1107 bytes
Desc: Digital signature (see http://martin-krafft.net/gpg/sig-policy/999bbcc4/current)
URL: <http://dovecot.org/pipermail/dovecot/attachments/20151121/2b9af75f/attachment.sig>

More information about the dovecot mailing list