thr3ads.net - dovecot - [Dovecot] auth child abort - "Requested NTLM scheme, but we have only SSHA256" [Nov 2010]

If this information is useful, please help other people find it:
Share via:

LEVAI Daniel

2010-Nov-01 09:12 UTC

[Dovecot] auth child abort - "Requested NTLM scheme, but we have only SSHA256"

Hi!


I noticed these messages in my logs. It seems that the user checked the
"encrypted password" in her outlook or something, and wants NTLM auth.
I'm storing all the passwords as SSHA256, and when the user tries to
auth, this happens:

=> dovecot.info
auth: Info: password(<username>,<user_ip>): Requested NTLM scheme,
but
	we have only SSHA256
auth: Debug: sql(<username>,<user_ip>): query: SELECT username AS
user,
	password, home AS userdb_home, uid AS userdb_uid, gid AS userdb_gid,
	userdb_import AS userdb_userdb_import FROM userdb WHERE auth_username 
'<username>' AND login = 'enabled'

=> dovecot.log
auth: Error: sql(<username>,<user_ip>): Multiple password values not
	supported
auth: Panic: file passdb-sql.c: line 113 (sql_query_callback): assertion
	failed: (password == NULL || scheme != NULL)
master: Error: service(auth): child 10679 killed with signal 6 (core not
	dumped - set service auth { drop_priv_before_exec=yes })


Is this an error condition if I store the password in a different scheme
than what user is requesting?


Thanks,
Daniel

-- 
L?VAI D?niel
PGP key ID = 0x83B63A8F
Key fingerprint = DBEC C66B A47A DFA2 792D  650C C69B BE4C 83B6 3A8F

Shawn Heisey

2010-Nov-01 14:43 UTC

head link

[Dovecot] auth child abort - "Requested NTLM scheme, but we have only SSHA256"

On 11/1/2010 3:12 AM, LEVAI Daniel wrote:> I noticed these messages in my logs. It seems that the user checked the
> "encrypted password" in her outlook or something, and wants NTLM
auth.
> I'm storing all the passwords as SSHA256, and when the user tries to
> auth, this happens:
Basically, if you the client doesn't send cleartext and uses a different 
encryption than the server, you must have the cleartext available on the 
server side so you can encrypt it for comparison when a user 
authenticates.  Unless you want to use Microsoft's encryption or store 
cleartext passwords in your database, NTLM will not be an option for 
you.  Cleartext tends to be a very bad idea, and most people who heavily 
use UNIX or Linux are fundamentally opposed to using something 
proprietary to Microsoft unless left with no other choice.

If they chose NTLM because they are concerned about security, nothing 
beats TLS and/or SSL with a certificate issued by a trusted authority.

Shawn

Apparently Analagous Threads

Search for more possibly parallel threads

dovecot - Nov 2010 - auth child abort - "Requested NTLM scheme, but we have only SSHA256"

[Dovecot] auth child abort - "Requested NTLM scheme, but we have only SSHA256"

[Dovecot] auth child abort - "Requested NTLM scheme, but we have only SSHA256"

Apparently Analagous Threads