The reason it fails is because auth process runs out of memory and there is a bug in libsodium which causes it to crash in this scenario. The fix is to do
service auth { vsz_limit = 0 # or 2G at least } Aki On 26.09.2018 09:12, Keith Amidon wrote: > I'm using dovecot version 2.3.2.1 (0719df592) and trying to use the > ARGON2ID crypt scheme for authentication using the passdb passwd-file > driver. My passdb config is very simple: > > passdb { > driver = passwd-file > args = username_format=%u <path-to-file-here> > } > > If I generate a password this way: > > doveadm pw -s ARGON2ID -p 'This is a test' > > I get a crypt value for the password that I can place in the password > file like: > > testuser:{ARGON2ID}$argon2id$v=19$m=65536,t=3,p=1$UuqF25QtumNBe9R2FmUZvA$5avvHY5TIaj5Wl5C4k8BOI4bcmNei7BwPLlXYQVybMc > > > And if I test authentication with this command: > > doveadm auth login testuser 'This is a test' > > It works as shown by the (lightly redacted) log: > > Sep 25 22:46:01 myhost dovecot[17538]: auth: Debug: auth client > connected (pid=55417) > Sep 25 22:46:01 myhost dovecot[17538]: auth: Debug: client in: > AUTH 1 PLAIN service=doveadm debug > resp=<hidden> > Sep 25 22:46:01 myhost dovecot[17538]: auth: Debug: > passwd-file(testuser): lookup: user=testuser file=<path-to-passwd-file> > Sep 25 22:46:01 myhost dovecot[17538]: auth: Debug: client passdb > out: OK 1 user=testuser > > However, if I instead specify a non-default number of rounds this way: > > doveadm pw -s ARGON2ID -p 'This is a test' -r 7 > > and place the result in an entry in the password file like: > > testuser:{ARGON2ID}$argon2id$v=19$m=1048576,t=7,p=1$kIhnUR13GrtOvvpbJNJmnQ$o7O6Whxs3s8IE09yY9S2dPkJjJyEVc78GRFilYVS9fU > > > Then testing authentication using the same command (repeated here): > > doveadm auth login testuser 'This is a test' > > then authentication fails, as shown by this (lightly redacted) log: > > Sep 25 22:52:05 myhost dovecot[17538]: auth: Debug: auth client > connected (pid=55557) > Sep 25 22:52:05 myhost dovecot[17538]: auth: Debug: client in: > AUTH 1 PLAIN service=doveadm debug > resp=<hidden> > Sep 25 22:52:05 myhost dovecot[17538]: auth: Debug: passwd-file > <path-to-passwd-file>: Read 3 users in 0 secs > Sep 25 22:52:05 myhost dovecot[17538]: auth: Debug: > passwd-file(testuser): lookup: user=testuser file=<path-to-passwd-file> > Sep 25 22:52:05 myhost dovecot[17538]: auth: > passwd-file(testuser): Password mismatch > Sep 25 22:52:07 myhost dovecot[17538]: auth: Debug: client passdb > out: FAIL 1 user=testuser > > Experimentation with other values for the -r option has not produced > a value that works for me. Using the exact same procedure but the > BLF-CRYPT scheme, with varying number of rounds, does work. > > Am I doing something wrong or is there a bug in either the > doveadm pw generation or the auth evaluation of the password? > > I'd like to use ARGON2ID with ~6 rounds if I can make this work. > Any help would be greatly appreciated. > > Thanks, Keith >