LEVAI Daniel
2010-Nov-01 09:12 UTC
[Dovecot] auth child abort - "Requested NTLM scheme, but we have only SSHA256"
Hi! I noticed these messages in my logs. It seems that the user checked the "encrypted password" in her outlook or something, and wants NTLM auth. I'm storing all the passwords as SSHA256, and when the user tries to auth, this happens: => dovecot.info auth: Info: password(<username>,<user_ip>): Requested NTLM scheme, but we have only SSHA256 auth: Debug: sql(<username>,<user_ip>): query: SELECT username AS user, password, home AS userdb_home, uid AS userdb_uid, gid AS userdb_gid, userdb_import AS userdb_userdb_import FROM userdb WHERE auth_username '<username>' AND login = 'enabled' => dovecot.log auth: Error: sql(<username>,<user_ip>): Multiple password values not supported auth: Panic: file passdb-sql.c: line 113 (sql_query_callback): assertion failed: (password == NULL || scheme != NULL) master: Error: service(auth): child 10679 killed with signal 6 (core not dumped - set service auth { drop_priv_before_exec=yes }) Is this an error condition if I store the password in a different scheme than what user is requesting? Thanks, Daniel -- L?VAI D?niel PGP key ID = 0x83B63A8F Key fingerprint = DBEC C66B A47A DFA2 792D 650C C69B BE4C 83B6 3A8F
Shawn Heisey
2010-Nov-01 14:43 UTC
[Dovecot] auth child abort - "Requested NTLM scheme, but we have only SSHA256"
On 11/1/2010 3:12 AM, LEVAI Daniel wrote:> I noticed these messages in my logs. It seems that the user checked the > "encrypted password" in her outlook or something, and wants NTLM auth. > I'm storing all the passwords as SSHA256, and when the user tries to > auth, this happens:Basically, if you the client doesn't send cleartext and uses a different encryption than the server, you must have the cleartext available on the server side so you can encrypt it for comparison when a user authenticates. Unless you want to use Microsoft's encryption or store cleartext passwords in your database, NTLM will not be an option for you. Cleartext tends to be a very bad idea, and most people who heavily use UNIX or Linux are fundamentally opposed to using something proprietary to Microsoft unless left with no other choice. If they chose NTLM because they are concerned about security, nothing beats TLS and/or SSL with a certificate issued by a trusted authority. Shawn