Steffen Kaiser
2016-Jun-24 10:33 UTC
exempt local auth-client UNIX socket from failed login penalty // add to login_trusted_networks ?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
I'm using Dovecot v2.2 with unix_listener auth-client {
} to verify passwords for a different service. However, it looks like that
auth_failure_delay effects all connects going through that socket.
I mean:
connect /var/run/dovecot2.2/auth-client
attempt bad auth
2s penalty
NO
disconnect
==> Note, it's another connection almost immediately following each
connect /var/run/dovecot2.2/auth-client
attempt good auth
2s penalty
OK
disconnect
Can I disable auth_failure_delay for local UNIX sockets?
How do I add it to login_trusted_networks?
- --
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEVAwUBV20MbHz1H7kL/d9rAQKm1AgAiVjjSimUTapEbhqHwZzfQWLzcJlkfm2W
z5smziGbVELYb0/COPd84GK6wyUF7+3iRZOuVPhLRdljhB72PWRe+hHX3KgMWHr2
1o5WLkX+0cGEwSXMvJ2w3ee/zmxYxva2WI+PjSzkgvvhxGMtnIxO7mMglEV5zbbq
ZxJcC1Ba4T9qpUhRIw3EQ5VPRs4cnLBz3Im4IDGLduWAGJYf/Rrxh+x+k3IqMtzb
v92ErjgQtz5bN+bgEtQ8C33UehoZeZ93eA3V8o/OiwZPtWyneWL6Yqwxni4LjtLI
R4wuu0N6Ea/BbA/fsElquRer0bXH2Zkt5mckJpDG6Rbe/IO5WYXq0A==axyE
-----END PGP SIGNATURE-----
Timo Sirainen
2016-Jun-28 21:32 UTC
exempt local auth-client UNIX socket from failed login penalty // add to login_trusted_networks ?
On 24 Jun 2016, at 13:33, Steffen Kaiser <skdovecot at smail.inf.fh-brs.de> wrote:> > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi, > > I'm using Dovecot v2.2 with unix_listener auth-client { > } to verify passwords for a different service. However, it looks like that auth_failure_delay effects all connects going through that socket. > > I mean: > > connect /var/run/dovecot2.2/auth-client > attempt bad auth > 2s penalty > NO > disconnect > ==> Note, it's another connection almost immediately following each > connect /var/run/dovecot2.2/auth-client > attempt good auth > 2s penalty > OK > disconnect > > Can I disable auth_failure_delay for local UNIX sockets? > How do I add it to login_trusted_networks?If you add no-penalty parameter to the AUTH command you avoid the penalty.
Steffen Kaiser
2016-Jun-29 06:19 UTC
[Solved] Re: exempt local auth-client UNIX socket from failed login penalty // add to login_trusted_networks ?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 29 Jun 2016, Timo Sirainen wrote:> On 24 Jun 2016, at 13:33, Steffen Kaiser <skdovecot at smail.inf.fh-brs.de> wrote: >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> I'm using Dovecot v2.2 with unix_listener auth-client { >> } to verify passwords for a different service. However, it looks like that auth_failure_delay effects all connects going through that socket. >> >> I mean: >> >> connect /var/run/dovecot2.2/auth-client >> attempt bad auth >> 2s penalty >> NO >> disconnect >> ==> Note, it's another connection almost immediately following each >> connect /var/run/dovecot2.2/auth-client >> attempt good auth >> 2s penalty >> OK >> disconnect >> >> Can I disable auth_failure_delay for local UNIX sockets? >> How do I add it to login_trusted_networks? > > If you add no-penalty parameter to the AUTH command you avoid the penalty.Oh, I did missed the doc, when I grepped for "penalty" in the source tree. For the archive, it's documented in the wiki Design/AuthProtocol . It seems to work like charm. Thank you. - -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEVAwUBV3NodHz1H7kL/d9rAQKQ2QgAwkBJ6RwWQmGRo3+F8TNohVI4w979ZA7F ReWgZzMNdLWQbBGXEyv8TPa5hjHoBVFGV6xgLP99Fbw4WQPMSAtVptCWKKlq8InY SNn1Pw0p1yYRkI9rvjWDN+ucsiHZ34JHIzF7UrFzaEhoaBzaQRw2oFjOv3KNAdX3 aywPJlloWKV5rmdRQI4zG8PWldxXYV7Iazim9LQzy+tIGYEqFoSJ2YPUiZaK3InF 7IoMBEX7oTXbmlbcc2nCKrKd7BGT7+hloFyMlKJ4L4J5yKA60DCxB6KDHoi7kkYK bxb75JOly1eX+j0ihMmcllGz2/jAZBq+ZIhuqN83t3ZXraEQpadoqw==+XmK -----END PGP SIGNATURE-----