Hi, everyone,
1. As advised in?Debugging Authentication, I turned on auth_debug and
auth_debug_passwords, and now in the mail log I get an additional message:
dovecot: auth: passwd(xxx,xxx,<40AjQMFHSLVLGJAC>): invalid password field
'*'
Of course neither the password I tried nor the actual password was '*'.
That's what's in /etc/passwd, but dovecot isn't just using that, is
it?
2. In the new debug log, I get:
dovecot: auth: Debug: Loading modules from directory:
/usr/local/lib/dovecot/auth
dovecot: auth: Debug: Read auth token secret from
/var/run/dovecot/auth-token-secret.dat
dovecot: auth: Debug: auth client connected (pid=3183)
dovecot: auth: Debug: client in: AUTH??? 1??? PLAIN??? service=pop3???
session=RFp0lMFHHotLGJAC??? lip=xxx ?? rip=xxx ?? lport=110??? rport=35614
dovecot: auth: Debug: client passdb out: CONT??? 1???
dovecot: auth: Debug: client in: CONT<hidden>
dovecot: auth: Debug: passwd(xxx,xxx,<RFp0lMFHHotLGJAC>): lookup
dovecot: auth: Debug: client passdb out: FAIL??? 1??? user=xxx ?? user_disabled
So it's something with passdb?
3. In TestPop3Installation I can't get past the "Check that it's
allowing remote logins" section. telnet gives me an error:
-ERR [AUTH] Authentication failed.
which I expect, because I have telnet turned off. Does that mean I can't use
plaintext authentication?
Thanks,
Bob
On Saturday, February 4, 2017 8:37 AM, "drbobllc at yahoo.com"
<drbobllc at yahoo.com> wrote:
And thanks for the link to that Troubleshooting section. I didn't know that
was there and will take a look at it now.
Am 5. Februar 2017 06:55:34 MEZ schrieb drbobllc at yahoo.com:>Hi, everyone, >1. As advised in?Debugging Authentication, I turned on auth_debug and >auth_debug_passwords, and now in the mail log I get an additional >message: >dovecot: auth: passwd(xxx,xxx,<40AjQMFHSLVLGJAC>): invalid password >field '*' >Of course neither the password I tried nor the actual password was '*'. >That's what's in /etc/passwd, but dovecot isn't just using that, is it?The '*' in passwd password field stands for login disabled. See man 5 passwd or http://www.manpages.info/freebsd/passwd.5.html>2. In the new debug log, I get: >dovecot: auth: Debug: Loading modules from directory: >/usr/local/lib/dovecot/auth >dovecot: auth: Debug: Read auth token secret from >/var/run/dovecot/auth-token-secret.dat >dovecot: auth: Debug: auth client connected (pid=3183) >dovecot: auth: Debug: client in: AUTH??? 1??? PLAIN??? service=pop3??? >session=RFp0lMFHHotLGJAC??? lip=xxx ?? rip=xxx ?? lport=110??? >rport=35614 >dovecot: auth: Debug: client passdb out: CONT??? 1??? >dovecot: auth: Debug: client in: CONT<hidden> >dovecot: auth: Debug: passwd(xxx,xxx,<RFp0lMFHHotLGJAC>): lookup >dovecot: auth: Debug: client passdb out: FAIL??? 1??? user=xxx ?? >user_disabled > >So it's something with passdb? > >3. In TestPop3Installation I can't get past the "Check that it's >allowing remote logins" section. telnet gives me an error: > >-ERR [AUTH] Authentication failed. > > >which I expect, because I have telnet turned off. Does that mean I >can't use plaintext authentication?This is probably because the users login is disabled. In one oft your provided log outputs you are trying to login as user 'www'. Why? The webserver user has the login normaly disabled. -- Christian Kivalo>Thanks, >Bob > >On Saturday, February 4, 2017 8:37 AM, "drbobllc at yahoo.com" ><drbobllc at yahoo.com> wrote: > >And thanks for the link to that Troubleshooting section. I didn't know >that was there and will take a look at it now. >
1. The man page I get is slightly different:
%??? man 5 passwd
PASSWD(5)???????????????? FreeBSD File Formats Manual??????????????? PASSWD(5)
NAME
???? passwd, master.passwd -- format of the password file
DESCRIPTION
???? The passwd files are the local source of password information.? They can
???? be used in conjunction with the Hesiod domains `passwd' and `uid',
and
???? the NIS maps `passwd.byname', `passwd.byuid',
`master.passwd.byname', and
???? `master.passwd.byuid', as controlled by nsswitch.conf(5).
???? For consistency, none of these files should ever be modified manually.
???? The master.passwd file is readable only by root, and consists of newline
???? separated records, one per user, containing ten colon (`:') separated
???? fields.? These fields are as follows:
???? [...]
???? The passwd file is generated from the master.passwd file by pwd_mkdb(8),
???? has the class, change, and expire fields removed, and the password field
???? replaced by a `*' character.
???? [...]
???? In the master.passwd file, the password field is the encrypted form of
???? the password, see crypt(3).? If the password field is empty, no password
???? will be required to gain access to the machine.? This is almost invari-
???? ably a mistake, so authentication components such as PAM can forcibly
???? disallow remote access to passwordless accounts.? Because this file con-
???? tains the encrypted user passwords, it should not be readable by anyone
???? without appropriate privileges.
???? A password of `*' indicates that password authentication is disabled
for
???? that account (logins through other forms of authentication, e.g., using
???? ssh(1) keys, will still work).? The field only contains encrypted pass-
???? words, and `*' can never be the result of encrypting a password.
Do I need to tell dovecot to check master.passwd instead of passwd?
2. Is my (simple) passdb OK?
passdb {
? args = blocking=no
? driver = passwd
}
I guess it would be easy to try it without the "args" line.
4. Sometimes I log in as www to do web page stuff, so files are owned by www.
www has a shell, and a password, and can ssh fine.
Thanks for your help!
Bob
On Sunday, February 5, 2017 2:58 AM, Christian Kivalo <ml+dovecot at
valo.at> wrote:
>dovecot: auth: passwd(xxx,xxx,<40AjQMFHSLVLGJAC>): invalid password
>field '*'
The '*' in passwd password field stands for login disabled. See man 5
passwd or http://www.manpages.info/freebsd/passwd.5.html
>-ERR [AUTH] Authentication failed.
This is probably because the users login is disabled.
In one oft your provided log outputs you are trying to login as user
'www'. Why? The webserver user has the login normaly disabled.
If you want things done as a disabled user use su with the -c switch. For example to simulate a cgi request from outside I do: su www-data -c /cgi-bin/getnewimages.cgi the www-data user is the user that runs scripts. .. El 05/02/2017 05:58, "Christian Kivalo" <ml+dovecot at valo.at> escribi?:> > > Am 5. Februar 2017 06:55:34 MEZ schrieb drbobllc at yahoo.com: > >Hi, everyone, > >1. As advised in Debugging Authentication, I turned on auth_debug and > >auth_debug_passwords, and now in the mail log I get an additional > >message: > >dovecot: auth: passwd(xxx,xxx,<40AjQMFHSLVLGJAC>): invalid password > >field '*' > >Of course neither the password I tried nor the actual password was '*'. > >That's what's in /etc/passwd, but dovecot isn't just using that, is it? > The '*' in passwd password field stands for login disabled. See man 5 > passwd or http://www.manpages.info/freebsd/passwd.5.html > > > >2. In the new debug log, I get: > >dovecot: auth: Debug: Loading modules from directory: > >/usr/local/lib/dovecot/auth > >dovecot: auth: Debug: Read auth token secret from > >/var/run/dovecot/auth-token-secret.dat > >dovecot: auth: Debug: auth client connected (pid=3183) > >dovecot: auth: Debug: client in: AUTH 1 PLAIN service=pop3 > >session=RFp0lMFHHotLGJAC lip=xxx rip=xxx lport=110 > >rport=35614 > >dovecot: auth: Debug: client passdb out: CONT 1 > >dovecot: auth: Debug: client in: CONT<hidden> > >dovecot: auth: Debug: passwd(xxx,xxx,<RFp0lMFHHotLGJAC>): lookup > >dovecot: auth: Debug: client passdb out: FAIL 1 user=xxx > >user_disabled > > > >So it's something with passdb? > > > >3. In TestPop3Installation I can't get past the "Check that it's > >allowing remote logins" section. telnet gives me an error: > > > >-ERR [AUTH] Authentication failed. > > > > > >which I expect, because I have telnet turned off. Does that mean I > >can't use plaintext authentication? > This is probably because the users login is disabled. > > In one oft your provided log outputs you are trying to login as user > 'www'. Why? The webserver user has the login normaly disabled. > > -- > Christian Kivalo > > >Thanks, > >Bob > > > >On Saturday, February 4, 2017 8:37 AM, "drbobllc at yahoo.com" > ><drbobllc at yahoo.com> wrote: > > > >And thanks for the link to that Troubleshooting section. I didn't know > >that was there and will take a look at it now. > > >