dovecot - Sep 2008 - cram-md5 and users maintaining their own passwords?

Is there any other mechanism than using passwd files with md5-hashed
passwords created by dovecotpw that will support cram-md5
authentication? 

Has anyone created setups where the passwd databases reside in the
individual users home directories?

Is it possible to persuade dovecotpw to update the passwd databases
automatically.  Having to use a text editor to paste in the passwords
sets a high user treshold on using the cram-md5 authentication
mechanism. 

Thanx!


- Steinar

>>>>> Steinar Bang <sb at dod.no>:
> Is there any other mechanism than using passwd files with md5-hashed
> passwords created by dovecotpw that will support cram-md5
> authentication?
It would have been really neat if there had been a pam_crammd5.so that
worked similar to pam_smbpass.so, i.e. stored an md5 hash version of the
password, when it was changed.

On Fri, 2008-09-12 at 20:17 +0200, Steinar Bang wrote:
> Is there any other mechanism than using passwd files with md5-hashed
> passwords created by dovecotpw that will support cram-md5
> authentication? 
You can use any "Lookup database" as listed in
http://wiki.dovecot.org/PasswordDatabase
> Has anyone created setups where the passwd databases reside in the
> individual users home directories?
passdb passwd-file {
  passwd-file = /home/%u/dovecot.passwd
}

The performance might not be that great though since it'll have to open
a lot of files. Also Dovecot never closes passwd files it has opened, so
this method won't work if you have a lot of users (I guess a few hundred
is still ok).
> Is it possible to persuade dovecotpw to update the passwd databases
> automatically.  Having to use a text editor to paste in the passwords
> sets a high user treshold on using the cram-md5 authentication
> mechanism. 
Currently Dovecot is internally able to update passwords only in SQL
database. But dovecotpw can't currently update even that. Maybe some
day.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20080913/07c5c2af/attachment-0002.bin>

On Fri, 2008-09-12 at 20:17 +0200, Steinar Bang wrote:
> Is it possible to persuade dovecotpw to update the passwd databases
> automatically.  Having to use a text editor to paste in the passwords
> sets a high user treshold on using the cram-md5 authentication
> mechanism. 
You can of course create your own wrapper script to dovecotpw to do
that..

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20080913/24914e53/attachment-0002.bin>

>>>>> Timo Sirainen <tss at iki.fi>:
> On Fri, 2008-09-12 at 20:17 +0200, Steinar Bang wrote:
>> Is it possible to persuade dovecotpw to update the passwd databases
>> automatically.  Having to use a text editor to paste in the passwords
>> sets a high user treshold on using the cram-md5 authentication
>> mechanism.
> You can of course create your own wrapper script to dovecotpw to do
> that..
That I can, but I wanted to make sure I didn't overlook something.

Another thing is that I'd rather avoid making a script be sudo root, if
I can (but of course splitting the passwd files would be a way to avoid
that).

>>>>> Timo Sirainen <tss at iki.fi>:
> On Fri, 2008-09-12 at 20:17 +0200, Steinar Bang wrote:
>> Is there any other mechanism than using passwd files with md5-hashed
>> passwords created by dovecotpw that will support cram-md5
>> authentication? 
> You can use any "Lookup database" as listed in
> http://wiki.dovecot.org/PasswordDatabase
But that includes passwd and shadow, and I thought they couldn't be
used, even with md5 hashing of the passwords, because the md5 hash used
was different to the one of cram-md5?

If I can use the normal passwd/shadow of the system, that would be
exactly what I want.
>> Has anyone created setups where the passwd databases reside in the
>> individual users home directories?
> passdb passwd-file {
>   passwd-file = /home/%u/dovecot.passwd
> }
Ok.  Thanx.
> The performance might not be that great though since it'll have to
> open a lot of files. Also Dovecot never closes passwd files it has
> opened, so this method won't work if you have a lot of users (I guess
> a few hundred is still ok).
Ok, the machine will only everl serve 3-10 users (it's my home LAN
server), so that would probably never be a problem.

But if I actually can use the normal passwd of the machine, then all of
this is a non-issue.

Thanx!