Tip: update dovecot MD5 password from PAM

Aki Tuomi aki.tuomi at dovecot.fi
Sun Mar 26 18:59:05 EEST 2017


> On March 26, 2017 at 2:24 PM Steinar Bang <sb at dod.no> wrote:
> 
> 
> >>>>> Aki Tuomi <aki.tuomi at dovecot.fi>:
> 
> > On 2017-03-25 17:54, Steinar Bang wrote:
> >> This is a PAM module that listens for password changes, and will update
> >> the MD5 password for a user, in a file that dovecot can read, when the
> >> user's password is changed:
> >> https://github.com/steinarb/pam_dovecotmd5pwd
> >> 
> >> Caveat emptor! (Works for me...! :-) )
> 
> > Maybe you could update the PAM module to upgrade user's passwords to
> > something safer than MD5? Like SSHA515 or CRYPT-SHA512? =)
> 
> Is it possible to do CRAM[1] with any of these encryption methods?
> And, if so: are these encryption methods widely supported by clients?
> 
> The essential part for me was to have something widely supported by
> clients, where the password isn't transferred over the wire as part of
> the authentication
> 
> The last time I looked cram-md5 was the only candidate for not
> transferring the password in cleartext during authentication (and with
> dovecot cram-md5 requires a special passwd file, which is why I wrote
> this pam module in the first place).
> 
> References:
>  [1] <https://en.wikipedia.org/wiki/Challenge–response_authentication>

Is there some reason you cannot protect your users with TLS/SSL? Using CRAM-MD5 is not very secure option, since you have to store the password in clear text. Plain MD5 is almost plaintext these days.

Aki


More information about the dovecot mailing list