Moving to new password scheme

Steffen Kaiser skdovecot at smail.inf.fh-brs.de
Wed Jan 25 09:46:31 UTC 2017 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 25 Jan 2017, @lbutlr wrote:
>> On Jan 25, 2017, at 1:09 AM, Alessio Cecchi <alessio at skye.it> wrote:
>>
>> Il 24/01/2017 23:29, @lbutlr ha scritto:
>>> dovecot is setup on a system with MD5-CRYPT password scheme for all users, and I would like to update this to something that is secure, probably SSHA256-CRYPT, but I want to do this seamlessly without the users having to jump through any hoops.
>>>
>>> The users are in mySQL (managed via postfixadmin) and the mailbox record simply stores the hash in the password field. Users access their accounts though IMAP MUAs or Roundcube.
>>>
>>> How would I setup my system so that if a user logs in and still has a $1$ password (MD5-CRYPT) their password will be encoded to the new SHCEME and then the SQL row updated with the $5$ password instead? Something where they are redirected after authentication to a page that forces them to renter their password (or choose a new one) is acceptable.
>>>
>>> And, while I am here, is it worthwhile to set the -r flag to a large number (like something over 100,000 which sets takes about 0.25 seconds to do on my machine)?
>>>
>> Hi,
>>
>> you can convert password scheme during the login:
>>
>> http://wiki2.dovecot.org/HowTo/ConvertPasswordSchemes
>
> Thanks, I started to look into that and got stopped no the first step
>
>>  userdb {
>>   driver = prefetch
>> }
>
> If I set that and reload dovecot users cannot login.
>
> dovecot: auth: Fatal: userdb prefetch: No args are supported: /etc/dovecot/dovecot-sql.conf.ext
> dovecot: master: Error: service(auth): command startup failed, throttling for 8 secs
> dovecot: imap-login: Disconnected: Auth process broken (disconnected before auth was ready, waited 4 secs): user=<>,

I don't see no prefetch in your config. The error may indicate that you 
replaced driver = sql by driver = prefetch, which is wrong.

http://wiki2.dovecot.org/UserDatabase/Prefetch

The idea described on the Wiki page is:

During login, most often the same data is collected from the passdb as 
later from the userdb, therefore you can collect *all* information you 
would retrieve from userdb { } within passdb queries (that's why the home 
as userdb_home, \
uid as userdb_uid, gid as userdb_gid, '%w' as userdb_plain_pass entries; 
the prefix userdb_ indicates that data) and store it for later use by the 
prefetch database.

That's why the prefetch userdb has to preceed the other ones, because if 
the passdb query filled in the values, the later userdb entries are 
ignored.

You've noticed the '%w' as userdb_plain_pass ? That stores the plain 
password (if any) to the virtual prefetch userdb entry as field 
plain_pass.

Those fields are available later as environment variables, that's why 
/usr/local/etc/popafter.sh

may use:

    1 #!/bin/sh
    2 DOVECOTPW=$(doveadm pw -s SHA512-CRYPT -p $PLAIN_PASS)

to access it.

Now, you are using two passdb's. the PAM passdb won't support this method, 
I guess.

> # 2.2.27 (c0f36b0): /usr/local/etc/dovecot/dovecot.conf
> # OS: FreeBSD 10.3-RELEASE-p11 i386
> auth_failure_delay = 5 secs
> auth_mechanisms = PLAIN LOGIN
> default_client_limit = 4096
> default_process_limit = 1024
> default_vsz_limit = 768 M
> disable_plaintext_auth = no
> first_valid_uid = 89
> imap_id_log = *
> lda_mailbox_autocreate = yes
> lda_mailbox_autosubscribe = yes
> login_log_format_elements = user=<%u> %r %m %c
> mail_location = maildir:~/Maildir
> mail_max_userip_connections = 90
> namespace inbox {
>  inbox = yes
>  location =
>  mailbox Drafts {
>    special_use = \Drafts
>  }
>  mailbox Junk {
>    auto = subscribe
>    special_use = \Junk
>  }
>  mailbox NotJunk {
>    auto = subscribe
>  }
>  mailbox Sent {
>    special_use = \Sent
>  }
>  mailbox Trash {
>    special_use = \Trash
>  }
>  prefix =
> }
> passdb {
>  driver = pam
> }
> passdb {
>  args = /etc/dovecot/dovecot-sql.conf.ext
>  driver = sql
> }
> protocols = imap
> service auth {
>  unix_listener /var/spool/postfix/private/auth {
>    mode = 0666
>  }
> }
> service imap-login {
>  inet_listener imaps {
>    port = 993
>    ssl = yes
>  }
> }
> service imap-postlogin {
>  executable = script-login /usr/local/etc/dovecot/afterlogin.sh
>  user = $default_internal_user
> }
> ssl_cert = </usr/local/etc/dehydrated/certs/covisp.net/fullchain.pem
> ssl_key =  # hidden, use -P to show it
> ssl_protocols = !SSLv2 !SSLv3
>
> userdb {
>  driver = passwd
> }
> userdb {
>  args = /etc/dovecot/dovecot-sql.conf.ext
>  default_fields = uid=vpopmail gid=vchkpw mail_location=/usr/local/virtual/%u mail=maildir:/usr/local/virtual/%u
>  driver = sql
> }
>
>

- -- 
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEVAwUBWIhz93z1H7kL/d9rAQJUuQf/UVdPDGn0zVdyTPEG/rfiQGXONpTUArWa
FI6h2amH7UwEXqfZ/Z3x3JmbFGgZ/bHavnqgsE+os19DtUIo4LYLBZvZDLA5FErt
vSKlzObXzDaofKktIkpu40j3RimRJTjpgilTvh0ne+wJnaCHZTF4pD6YeR7BRHN3
CBCefg6UALG6XLZ9nTOA07l7q/GFSvCaWvqApXpjQwA4DrwwH0ZoFq+peVfblrr7
8oqIVZiWPgiqR2BRxyNpPLU5mOJIcCrWqrSBtpRxPXmqcTjXMgA7TioTs8Jm/ooE
wWkKj8GBSlTZjbI1KycJlfPevSbsfxnLKdewpS7WI2Tcr4uEezWTrg==
=cUh0
-----END PGP SIGNATURE-----

More information about the dovecot mailing list