Keith Amidon
2018-Sep-26 06:12 UTC
Can't authenticate using ARGON2ID crypt scheme from doveadm pw w/rounds != default
I'm using dovecot version 2.3.2.1 (0719df592) and trying to use the ARGON2ID crypt scheme for authentication using the passdb passwd-file driver. My passdb config is very simple: ??? passdb { ????? driver = passwd-file ????? args = username_format=%u <path-to-file-here> ??? } If I generate a password this way: ??? doveadm pw -s ARGON2ID -p 'This is a test' I get a crypt value for the password that I can place in the password file like: testuser:{ARGON2ID}$argon2id$v=19$m=65536,t=3,p=1$UuqF25QtumNBe9R2FmUZvA$5avvHY5TIaj5Wl5C4k8BOI4bcmNei7BwPLlXYQVybMc And if I test authentication with this command: ??? doveadm auth login testuser 'This is a test' It works as shown by the (lightly redacted) log: ??? Sep 25 22:46:01 myhost dovecot[17538]: auth: Debug: auth client connected (pid=55417) ??? Sep 25 22:46:01 myhost dovecot[17538]: auth: Debug: client in: AUTH??????? 1??????? PLAIN service=doveadm??????? debug??????? resp=<hidden> ??? Sep 25 22:46:01 myhost dovecot[17538]: auth: Debug: passwd-file(testuser): lookup: user=testuser file=<path-to-passwd-file> ??? Sep 25 22:46:01 myhost dovecot[17538]: auth: Debug: client passdb out: OK??????? 1??????? user=testuser However, if I instead specify a non-default number of rounds this way: ???? doveadm pw -s ARGON2ID -p 'This is a test' -r 7 and place the result in an entry in the password file like: testuser:{ARGON2ID}$argon2id$v=19$m=1048576,t=7,p=1$kIhnUR13GrtOvvpbJNJmnQ$o7O6Whxs3s8IE09yY9S2dPkJjJyEVc78GRFilYVS9fU Then testing authentication using the same command (repeated here): ??? doveadm auth login testuser 'This is a test' then authentication fails, as shown by this (lightly redacted) log: ??? Sep 25 22:52:05 myhost dovecot[17538]: auth: Debug: auth client connected (pid=55557) ??? Sep 25 22:52:05 myhost dovecot[17538]: auth: Debug: client in: AUTH??????? 1??????? PLAIN service=doveadm??????? debug??????? resp=<hidden> ??? Sep 25 22:52:05 myhost dovecot[17538]: auth: Debug: passwd-file <path-to-passwd-file>: Read 3 users in 0 secs ??? Sep 25 22:52:05 myhost dovecot[17538]: auth: Debug: passwd-file(testuser): lookup: user=testuser file=<path-to-passwd-file> ??? Sep 25 22:52:05 myhost dovecot[17538]: auth: passwd-file(testuser): Password mismatch ??? Sep 25 22:52:07 myhost dovecot[17538]: auth: Debug: client passdb out: FAIL??????? 1??????? user=testuser Experimentation with other values for the -r option has not produced a value that works for me. Using the exact same procedure but the BLF-CRYPT scheme, with varying number of rounds, does work. Am I doing something wrong or is there a bug in either the doveadm pw generation or the auth evaluation of the password? I'd like to use ARGON2ID with ~6 rounds if I can make this work. Any help would be greatly appreciated. Thanks, Keith
Aki Tuomi
2018-Sep-26 09:42 UTC
Can't authenticate using ARGON2ID crypt scheme from doveadm pw w/rounds != default
The reason it fails is because auth process runs out of memory and there is a bug in libsodium which causes it to crash in this scenario. The fix is to do service auth { ? vsz_limit = 0 # or 2G at least } Aki On 26.09.2018 09:12, Keith Amidon wrote:> I'm using dovecot version 2.3.2.1 (0719df592) and trying to use the > ARGON2ID crypt scheme for authentication using the passdb passwd-file > driver. My passdb config is very simple: > > ??? passdb { > ????? driver = passwd-file > ????? args = username_format=%u <path-to-file-here> > ??? } > > If I generate a password this way: > > ??? doveadm pw -s ARGON2ID -p 'This is a test' > > I get a crypt value for the password that I can place in the password > file like: > > testuser:{ARGON2ID}$argon2id$v=19$m=65536,t=3,p=1$UuqF25QtumNBe9R2FmUZvA$5avvHY5TIaj5Wl5C4k8BOI4bcmNei7BwPLlXYQVybMc > > > And if I test authentication with this command: > > ??? doveadm auth login testuser 'This is a test' > > It works as shown by the (lightly redacted) log: > > ??? Sep 25 22:46:01 myhost dovecot[17538]: auth: Debug: auth client > connected (pid=55417) > ??? Sep 25 22:46:01 myhost dovecot[17538]: auth: Debug: client in: > AUTH??????? 1??????? PLAIN service=doveadm??????? debug??????? > resp=<hidden> > ??? Sep 25 22:46:01 myhost dovecot[17538]: auth: Debug: > passwd-file(testuser): lookup: user=testuser file=<path-to-passwd-file> > ??? Sep 25 22:46:01 myhost dovecot[17538]: auth: Debug: client passdb > out: OK??????? 1??????? user=testuser > > However, if I instead specify a non-default number of rounds this way: > > ???? doveadm pw -s ARGON2ID -p 'This is a test' -r 7 > > and place the result in an entry in the password file like: > > testuser:{ARGON2ID}$argon2id$v=19$m=1048576,t=7,p=1$kIhnUR13GrtOvvpbJNJmnQ$o7O6Whxs3s8IE09yY9S2dPkJjJyEVc78GRFilYVS9fU > > > Then testing authentication using the same command (repeated here): > > ??? doveadm auth login testuser 'This is a test' > > then authentication fails, as shown by this (lightly redacted) log: > > ??? Sep 25 22:52:05 myhost dovecot[17538]: auth: Debug: auth client > connected (pid=55557) > ??? Sep 25 22:52:05 myhost dovecot[17538]: auth: Debug: client in: > AUTH??????? 1??????? PLAIN service=doveadm??????? debug??????? > resp=<hidden> > ??? Sep 25 22:52:05 myhost dovecot[17538]: auth: Debug: passwd-file > <path-to-passwd-file>: Read 3 users in 0 secs > ??? Sep 25 22:52:05 myhost dovecot[17538]: auth: Debug: > passwd-file(testuser): lookup: user=testuser file=<path-to-passwd-file> > ??? Sep 25 22:52:05 myhost dovecot[17538]: auth: > passwd-file(testuser): Password mismatch > ??? Sep 25 22:52:07 myhost dovecot[17538]: auth: Debug: client passdb > out: FAIL??????? 1??????? user=testuser > > Experimentation with other values for the -r option has not produced > a value that works for me. Using the exact same procedure but the > BLF-CRYPT scheme, with varying number of rounds, does work. > > Am I doing something wrong or is there a bug in either the > doveadm pw generation or the auth evaluation of the password? > > I'd like to use ARGON2ID with ~6 rounds if I can make this work. > Any help would be greatly appreciated. > > Thanks, Keith >
Keith Amidon
2018-Sep-27 03:23 UTC
Can't authenticate using ARGON2ID crypt scheme from doveadm pw w/rounds != default
On 9/26/18 2:42 AM, Aki Tuomi wrote:> The reason it fails is because auth process runs out of memory and there > is a bug in libsodium which causes it to crash in this scenario. The fix > is to do > > service auth { > > ? vsz_limit = 0 # or 2G at least > > }After testing this evening, I can confirm that this did indeed resolve the problem. Thank you for the quick response and accurate diagnosis!
Seemingly Similar Threads
- Can't authenticate using ARGON2ID crypt scheme from doveadm pw w/rounds != default
- Auth-worker, unknown scheme ARGON2ID
- Auth-worker, unknown scheme ARGON2ID
- Sieve/pigeonhole rejects email addresses for valid UNIX users
- generating secure ARGON2ID passwords