Re: Moving to new password scheme

Steffen Kaiser Wed, 25 Jan 2017 03:58:31 -0800

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 25 Jan 2017, @lbutlr wrote:

On Jan 25, 2017, at 2:46 AM, Steffen Kaiser <skdove...@smail.inf.fh-brs.de> 
wrote:


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 25 Jan 2017, @lbutlr wrote:

On Jan 25, 2017, at 1:09 AM, Alessio Cecchi <ales...@skye.it> wrote:

Il 24/01/2017 23:29, @lbutlr ha scritto:

dovecot is setup on a system with MD5-CRYPT password scheme for all users, and 
I would like to update this to something that is secure, probably 
SSHA256-CRYPT, but I want to do this seamlessly without the users having to 
jump through any hoops.

The users are in mySQL (managed via postfixadmin) and the mailbox record simply 
stores the hash in the password field. Users access their accounts though IMAP 
MUAs or Roundcube.

How would I setup my system so that if a user logs in and still has a $1$ 
password (MD5-CRYPT) their password will be encoded to the new SHCEME and then 
the SQL row updated with the $5$ password instead? Something where they are 
redirected after authentication to a page that forces them to renter their 
password (or choose a new one) is acceptable.

And, while I am here, is it worthwhile to set the -r flag to a large number 
(like something over 100,000 which sets takes about 0.25 seconds to do on my 
machine)?

Hi,

you can convert password scheme during the login:

http://wiki2.dovecot.org/HowTo/ConvertPasswordSchemes


Thanks, I started to look into that and got stopped no the first step

userdb {
 driver = prefetch
}


If I set that and reload dovecot users cannot login.

dovecot: auth: Fatal: userdb prefetch: No args are supported: 
/etc/dovecot/dovecot-sql.conf.ext
dovecot: master: Error: service(auth): command startup failed, throttling for 8 
secs
dovecot: imap-login: Disconnected: Auth process broken (disconnected before auth was 
ready, waited 4 secs): user=<>,


I don't see no prefetch in your config.


No, when I changed userdb { driver = passwd } to prefetch everything failed, so 
I changed it back immediately so people could login. That was the firs step on 
the page and I couldn’t get past it.

The error may indicate that you replaced driver = sql by driver = prefetch, 
which is wrong.


driver = sql is in the imap/sql section. The one I tried changing was the bare 
userdb declaration the just said driver - passwd.

I guess I need to ADD another userdb declaration for the prefetch.

Does the other int he file matter? I have local users stuff first and then the 
sql stuff later, but I’m not sure if that matters.

yes, userdb's are checked in the same order as they appear in the configfile(s).

http://wiki2.dovecot.org/UserDatabase/Prefetch

The idea described on the Wiki page is:

During login, most often the same data is collected from the passdb as later 
from the userdb, therefore you can collect *all* information you would retrieve 
from userdb { } within passdb queries (that's why the home as userdb_home, \
uid as userdb_uid, gid as userdb_gid, '%w' as userdb_plain_pass entries; the 
prefix userdb_ indicates that data) and store it for later use by the prefetch 
database.

That's why the prefetch userdb has to preceed the other ones, because if the 
passdb query filled in the values, the later userdb entries are ignored.


So Place it first (or at least before all the sql stuff)?


yep.

You've noticed the '%w' as userdb_plain_pass ? That stores the plain password 
(if any) to the virtual prefetch userdb entry as field plain_pass.

OK.

Now, you are using two passdb's. the PAM passdb won't support this method, I 
guess.


No, I’m not expecting it to. the local users are mostly my admin accounts and I 
can just change the passwords on those manually without an issue.

I’ll keep at it. Thanks.

- --Steffen Kaiser

Re: Moving to new password scheme

Reply via email to