I'm using dovecot version 2.3.2.1 (0719df592) and trying to use the
ARGON2ID crypt scheme for authentication using the passdb passwd-file
driver. My passdb config is very simple:

    passdb {
      driver = passwd-file
      args = username_format=%u <path-to-file-here>
    }

If I generate a password this way:

    doveadm pw -s ARGON2ID -p 'This is a test'

I get a crypt value for the password that I can place in the password
file like:

testuser:{ARGON2ID}$argon2id$v=19$m=65536,t=3,p=1$UuqF25QtumNBe9R2FmUZvA$5avvHY5TIaj5Wl5C4k8BOI4bcmNei7BwPLlXYQVybMc

And if I test authentication with this command:

    doveadm auth login testuser 'This is a test'

It works as shown by the (lightly redacted) log:

    Sep 25 22:46:01 myhost dovecot[17538]: auth: Debug: auth client connected (pid=55417)     Sep 25 22:46:01 myhost dovecot[17538]: auth: Debug: client in: AUTH        1        PLAIN service=doveadm        debug        resp=<hidden>     Sep 25 22:46:01 myhost dovecot[17538]: auth: Debug: passwd-file(testuser): lookup: user=testuser file=<path-to-passwd-file>     Sep 25 22:46:01 myhost dovecot[17538]: auth: Debug: client passdb out: OK        1        user=testuser

However, if I instead specify a non-default number of rounds this way:

     doveadm pw -s ARGON2ID -p 'This is a test' -r 7

and place the result in an entry in the password file like:

testuser:{ARGON2ID}$argon2id$v=19$m=1048576,t=7,p=1$kIhnUR13GrtOvvpbJNJmnQ$o7O6Whxs3s8IE09yY9S2dPkJjJyEVc78GRFilYVS9fU

Then testing authentication using the same command (repeated here):

    doveadm auth login testuser 'This is a test'

then authentication fails, as shown by this (lightly redacted) log:

    Sep 25 22:52:05 myhost dovecot[17538]: auth: Debug: auth client connected (pid=55557)     Sep 25 22:52:05 myhost dovecot[17538]: auth: Debug: client in: AUTH        1        PLAIN service=doveadm        debug        resp=<hidden>     Sep 25 22:52:05 myhost dovecot[17538]: auth: Debug: passwd-file <path-to-passwd-file>: Read 3 users in 0 secs     Sep 25 22:52:05 myhost dovecot[17538]: auth: Debug: passwd-file(testuser): lookup: user=testuser file=<path-to-passwd-file>     Sep 25 22:52:05 myhost dovecot[17538]: auth: passwd-file(testuser): Password mismatch     Sep 25 22:52:07 myhost dovecot[17538]: auth: Debug: client passdb out: FAIL        1        user=testuser

Experimentation with other values for the -r option has not produced
a value that works for me. Using the exact same procedure but the
BLF-CRYPT scheme, with varying number of rounds, does work.

Am I doing something wrong or is there a bug in either the
doveadm pw generation or the auth evaluation of the password?

I'd like to use ARGON2ID with ~6 rounds if I can make this work.
Any help would be greatly appreciated.

Thanks, Keith

Reply via email to