On Tue, 11 Oct 2022, Serveria Support wrote:
I'm sorry but I wasn't able to find src/config/all-settings.c file.
all-settings.h is there but all-settings.c is missing. I checked on
Github (thought maybe some files failed to extract) and it's missing
there too.
When building from git, you need to run ./autogen.sh first.
^^
This is from the instructions in git (INSTALL.md).
This generates, among others, the file I mentioned.
On 2022-10-11 22:15, Bernardo Reino wrote:
Please please stop top-posting. Makes a mess of everything!
On Tue, 11 Oct 2022, Serveria Support wrote:
Ok, this is something... let me check...
If you're you referring to these pieces of code:
[...]
I'm not a programmer, let alone a C guru, but these extracts
look like password failure logging. Are you sure they are
recording successful authentications for the logs?
OK. I thought the code would be the same. I *do* log failed
passwords,
so I sort of thought only about that string ("given password: ").
I enabled debug passwords on my server, to test, so I could see
how it
looks like in the log.
The "keyword" in the code seems to be "hide_pass", so if you
search
for that in the code, you find a few instances where passwords
are
(selectively) removed/replaced in a given line of text.
But at this point I think the easiest in this absurd (IMHO) quest
of
yours is to patch src/config/all-settings.c, and, around line
4141:
static bool login_settings_check(void *_set, pool_t pool,
const char **error_r ATTR_UNUSED)
{
struct login_settings *set = _set;
set->log_format_elements_split =
p_strsplit(pool, set->login_log_format_elements, " ");
/* >>> INSERT HERE */
set->auth_debug_passwords = FALSE;
/* */
if (set->auth_debug_passwords)
set->auth_debug = TRUE;
if (set->auth_debug)
set->auth_verbose = TRUE;
return TRUE;
}
If I'm right, this will just turn off the flag whenever dovecot
checks
the settings, i.e. regardless of what's in the actual
dovecot.conf, so
it should do the trick.
But at this point this feels like a useless homework assignment,
so I
think I'll stop (I used to be good with C, now I'm read/only, and
my
time is very limited).
(I do make a mental note of having a statically linked dovecot
binary
with forced password debugging. You never know when/where you
might
need it ;-)
Cheers and good luck,
Bernardo
On 2022-10-11 17:07, Bernardo Reino wrote:
On Mon, 10 Oct 2022, Serveria Support wrote:
I checked the source code on Github and discussed this with a
C
developer. There seem to be too many files... perhaps
somebody can
guide
me where should I look? Aki?
You should search for "given password" in the source.
Hint:
src/auth/passdb-pam.c, around lines 175-178.
src/auth/auth-request.c, around lines 2311-2312.
This is with the latest source (2.3.19.1).
Cheers.
PS: But as I noted, nothing prevents $HACKER from bringing
their own
dovecot (BYOD :) with all debugging options enabled, etc. As
others
have noted, if the intruder owns your server, you have lost.
Period.
