Frank Kintrup
2008-Jan-07 22:59 UTC
[Dovecot] Problem with passwords surrounded by curly braces
Hello,
one of my users set his password to something surrounded by curly braces,
and promptly all access to his mailbox was refused. After looking through
the logs I found an entry "Unknown password scheme xxxx", where
"xxxx"
is the user's password, but without the curly braces.
I then browsed through the documentation and there was explained that it
is possible to prefix the password with the password scheme in curly
braces, like "{PLAIN}xxxx" where xxxx is the password itself.
Manually altering the users password in the database to "{PLAIN}xxxx"
(where "xxxx" is the user's password WITH curly braces) fixed this
problem
for me at this time, but the time a user chooses such a strange password
I would have to edit the table again. So in my opinion the {SCHEME}-prefix
is not a useful thing. Why would anyone need it, anyway? Shouldn't all
passwords have the same scheme which is set in the dovecot.conf file once?
If the feature is indeed used: with a database lookup it should be
replaced by an optional database field or, if that's not possible, it
should be possible to disable this feature from the config file.
Frank
Przemyslaw Wegrzyn
2008-Jan-07 23:07 UTC
[Dovecot] Problem with passwords surrounded by curly braces
Frank Kintrup wrote:> I would have to edit the table again. So in my opinion the {SCHEME}-prefix > is not a useful thing. Why would anyone need it, anyway? Shouldn't all > passwords have the same scheme which is set in the dovecot.conf file once? >Sometimes one has to import the user data from some legacy system using a different scheme than the one you'd like to use. Believe me, it is really useful for anyone migrating from legacy systems :) Przemyslaw
Timo Sirainen
2008-Jan-08 02:05 UTC
[Dovecot] Problem with passwords surrounded by curly braces
On Mon, 2008-01-07 at 23:59 +0100, Frank Kintrup wrote:> Manually altering the users password in the database to "{PLAIN}xxxx" > (where "xxxx" is the user's password WITH curly braces) fixed this problem > for me at this time, but the time a user chooses such a strange password > I would have to edit the table again. So in my opinion the {SCHEME}-prefix > is not a useful thing. Why would anyone need it, anyway? Shouldn't all > passwords have the same scheme which is set in the dovecot.conf file once?Often they are, but there are installations which use multiple schemes. For example otherwise it would be pretty much impossible to change a scheme for an existing installation.> If the feature is indeed used: with a database lookup it should be > replaced by an optional database field or, if that's not possible, it > should be possible to disable this feature from the config file.It's possible since v1.0.8. I guess I should write about this to wiki as well: + Authentication: Added "password_noscheme" field that can be used instead of "password". "password" treats "{prefix}" as a password scheme while "password_noscheme" treats it as part of the password itself. So "password_noscheme" should be used if you're storing passwords as plaintext. Non-plaintext passwords never begin with "{", so this isn't a problem with them. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20080108/55b7ec27/attachment-0002.bin>
Benjamin R. Haskell
2008-Jan-08 04:38 UTC
[Dovecot] Problem with passwords surrounded by curly braces
On Mon, 7 Jan 2008, Frank Kintrup wrote:> Hello, > > one of my users set his password to something surrounded by curly braces, > and promptly all access to his mailbox was refused. After looking through > the logs I found an entry "Unknown password scheme xxxx", where "xxxx" > is the user's password, but without the curly braces. > I then browsed through the documentation and there was explained that it > is possible to prefix the password with the password scheme in curly > braces, like "{PLAIN}xxxx" where xxxx is the password itself. > > Manually altering the users password in the database to "{PLAIN}xxxx" > (where "xxxx" is the user's password WITH curly braces) fixed this problem > for me at this time, but the time a user chooses such a strange password > I would have to edit the table again. So in my opinion the {SCHEME}-prefix > is not a useful thing. Why would anyone need it, anyway? Shouldn't all > passwords have the same scheme which is set in the dovecot.conf file once? > > If the feature is indeed used: with a database lookup it should be > replaced by an optional database field or, if that's not possible, it > should be possible to disable this feature from the config file. > > > Frank >Regardless of how secure your password file/database might be, it seems like a bad idea to enter users' passwords in plain text. Use something else. With the other schemes it's at least a huge annoyance for an attacker to recover a password. But, you can still easily set the passwords to known values as an administrator. (That's the whole point of a one-way hash like 'crypt' or 'MD5'.) Best, Ben