Jonathan Ballet
2006-Sep-11 22:13 UTC
[Dovecot] Using pgsql with 'cram-md5 auth' and 'hmac-md5 scheme'
Hello,
I want to use PostgreSQL to store my Dovecot users. I setup a very
basic configuration, following word for word this page
http://wiki.dovecot.org/DovecotPostgresql and it works ... almost.
In fact, it works if I use PLAIN password scheme in my database.
However, I would like to store them encrypted.
But, if I replace the password field for my user with {HMAC-MD5}-...
(the password generated by dovecotpw), it doesn't work.
Here is the log, using PLAIN password scheme (all debug options
activated) :
==================================================auth(default): client in: AUTH
1 CRAM-MD5
service=IMAP secured lip=127.0.0.1 rip=127.0.0.1
auth(default): client out: CONT 1
PDU3NTgxMTE5MTcwMTYzNjguMTE1ODAxMTQzN0BkZWI2ND4auth(default): client in: CONT
1
am9uIDJjN2RmMDVmZWZiNWU4MmE0MzFkMjM2YThhYzc2MDAx
auth(default): sql(jon,127.0.0.1): query: SELECT userid as user,
password FROM users WHERE userid = 'jon'
auth(default): password(jon,127.0.0.1): Credentials:
3fd9989457cb3edf1fb8d31dddaf11f3f0efee3423aeb9ebf9bbe981f86a079b
auth(default): client out: OK 1 user=jon
auth(default): master in: REQUEST 1 23748 1
auth(default): sql(jon,127.0.0.1): SELECT home, uid, gid FROM users
WHERE userid = 'jon'
auth(default): master out: USER 1 jon
home=/var/mail/jon/ uid=5000 gid=5000
IMAP(jon): Effective uid=5000, gid=5000
IMAP(jon): maildir: data=/var/mail/jon
IMAP(jon): maildir:root=/var/mail/jon, index=/var/mail/jon, control=,
inboximap-login: Login: user=<jon>, method=CRAM-MD5, rip=127.0.0.1,
lip=127.0.0.1, secured
IMAP(jon): Disconnected: Logged out
And here is the log, using HMAC-MD5 password scheme (all debug options
activated too) :
====================================================auth(default): client in:
AUTH 1 CRAM-MD5
service=IMAP secured lip=127.0.0.1 rip=127.0.0.1
auth(default): client out: CONT 1
PDI0MDc4NTQzMDc5NjU2NTIuMTE1ODAxMTkxNUBkZWI2ND4auth(default): client in: CONT
1
am9uIDViNmE4NDI5ZjUzZTQ3YTEzZmEzNjhiOThlYjI5OTFi
auth(default): sql(jon,127.0.0.1): query: SELECT userid as user,
password FROM users WHERE userid = 'jon'
auth(default): password(jon,127.0.0.1): Credentials:
auth(default): cram-md5(jon,127.0.0.1): password mismatch
auth(default): client out: FAIL 1 user=jon
imap-login: Disconnected: user=<jon>, method=CRAM-MD5, rip=127.0.0.1,
lip=127.0.0.1, secured
The login + password used for those tests are 'jon'/'jonpwd'. In
the
second example, I didn't get any Credentials, whereas in the first case
(PLAIN scheme), the Credentials output correspond to the 'dovecotpw'
generated password (as in `dovecotpw -s HMAC-MD5 -p jonpwd`).
I don't know if it's normal or not.
So, I'm not sure what to do next :/
I use this kind of 'auth mechanism'/'password scheme' on another
computer, with passwd-like files, and it works. So, I don't know why
the same data, coming from another location, doesn't work.
Any help would be greatly appreciated !
Thanks,
-- Jonathan
Andrey Panin
2006-Sep-12 08:04 UTC
[Dovecot] Using pgsql with 'cram-md5 auth' and 'hmac-md5 scheme'
On 255, 09 12, 2006 at 12:13:05AM +0200, Jonathan Ballet wrote:> Hello, > > I want to use PostgreSQL to store my Dovecot users. I setup a very > basic configuration, following word for word this page > http://wiki.dovecot.org/DovecotPostgresql and it works ... almost. > > In fact, it works if I use PLAIN password scheme in my database. > However, I would like to store them encrypted. > But, if I replace the password field for my user with {HMAC-MD5}-.../^\ | Is this '-' just a typo ? It is not needed here.> (the password generated by dovecotpw), it doesn't work. > > > Here is the log, using PLAIN password scheme (all debug options > activated) : > ==================================================> auth(default): client in: AUTH 1 CRAM-MD5 > service=IMAP secured lip=127.0.0.1 rip=127.0.0.1 > auth(default): client out: CONT 1 > PDU3NTgxMTE5MTcwMTYzNjguMTE1ODAxMTQzN0BkZWI2ND4> auth(default): client in: CONT 1 > am9uIDJjN2RmMDVmZWZiNWU4MmE0MzFkMjM2YThhYzc2MDAx > auth(default): sql(jon,127.0.0.1): query: SELECT userid as user, > password FROM users WHERE userid = 'jon' > auth(default): password(jon,127.0.0.1): Credentials: > 3fd9989457cb3edf1fb8d31dddaf11f3f0efee3423aeb9ebf9bbe981f86a079b > auth(default): client out: OK 1 user=jon > auth(default): master in: REQUEST 1 23748 1 > auth(default): sql(jon,127.0.0.1): SELECT home, uid, gid FROM users > WHERE userid = 'jon' > auth(default): master out: USER 1 jon > home=/var/mail/jon/ uid=5000 gid=5000 > IMAP(jon): Effective uid=5000, gid=5000 > IMAP(jon): maildir: data=/var/mail/jon > IMAP(jon): maildir:root=/var/mail/jon, index=/var/mail/jon, control=, > inbox> imap-login: Login: user=<jon>, method=CRAM-MD5, rip=127.0.0.1, > lip=127.0.0.1, secured > IMAP(jon): Disconnected: Logged out > > > > And here is the log, using HMAC-MD5 password scheme (all debug options > activated too) : > ====================================================> auth(default): client in: AUTH 1 CRAM-MD5 > service=IMAP secured lip=127.0.0.1 rip=127.0.0.1 > auth(default): client out: CONT 1 > PDI0MDc4NTQzMDc5NjU2NTIuMTE1ODAxMTkxNUBkZWI2ND4> auth(default): client in: CONT 1 > am9uIDViNmE4NDI5ZjUzZTQ3YTEzZmEzNjhiOThlYjI5OTFi > auth(default): sql(jon,127.0.0.1): query: SELECT userid as user, > password FROM users WHERE userid = 'jon' > auth(default): password(jon,127.0.0.1): Credentials: > auth(default): cram-md5(jon,127.0.0.1): password mismatch > auth(default): client out: FAIL 1 user=jon > imap-login: Disconnected: user=<jon>, method=CRAM-MD5, rip=127.0.0.1, > lip=127.0.0.1, secured > > > The login + password used for those tests are 'jon'/'jonpwd'. In the > second example, I didn't get any Credentials, whereas in the first case > (PLAIN scheme), the Credentials output correspond to the 'dovecotpw' > generated password (as in `dovecotpw -s HMAC-MD5 -p jonpwd`). > I don't know if it's normal or not. > > > So, I'm not sure what to do next :/ > I use this kind of 'auth mechanism'/'password scheme' on another > computer, with passwd-like files, and it works. So, I don't know why > the same data, coming from another location, doesn't work. > > > Any help would be greatly appreciated ! > Thanks, > > -- Jonathan >-- Andrey Panin | Linux and UNIX system administrator pazke at donpac.ru | PGP key: wwwkeys.pgp.net -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: Digital signature URL: <http://dovecot.org/pipermail/dovecot/attachments/20060912/a8692466/attachment.bin>
Jonathan Ballet
2006-Sep-12 08:13 UTC
[Dovecot] Using pgsql with 'cram-md5 auth' and 'hmac-md5 scheme'
Andrey Panin a ?crit :>> But, if I replace the password field for my user with {HMAC-MD5}-... > /^\ > | > Is this '-' just a typo ? It is not needed here. >You're right, this is just a typo, sorry.
John Peacock
2006-Sep-12 13:11 UTC
[Dovecot] Using pgsql with 'cram-md5 auth' and 'hmac-md5 scheme'
Jonathan Ballet wrote:> In fact, it works if I use PLAIN password scheme in my database. > However, I would like to store them encrypted. > But, if I replace the password field for my user with {HMAC-MD5}-... > (the password generated by dovecotpw), it doesn't work.It is not possible to use the CRAM-MD5 authentication method, unless the server has the password in plaintext. Here's why[1]: 1) The server generates a *one-time* challenge string and sends it to the client; 2) The client responds with the username followed by a digest, which is a HMAC-MD5 hash of the challenge string and the user's password; 3) The server then performs the same HMAC-MD5 hashing of the challenge string it just sent and the plaintext users password in the database; 4) If and only if the two HMAC-MD5 hashes are equivalent, does the authentication succeed. The problem is you have already hashed the password in the database, but the server does not know what the challenge string that was used (and unlike crypt, the challenge is not stored as part of the hash). There is no way to do what you want using CRAM-MD5 (it's one of the serious design flaws of that method). HTH John 1. http://en.wikipedia.org/wiki/CRAM-MD5 -- John Peacock Director of Information Research and Technology Rowman & Littlefield Publishing Group 4501 Forbes Boulevard Suite H Lanham, MD 20706 301-459-3366 x.5010 fax 301-429-5748