thr3ads.net - dovecot - Can't authenticate using ARGON2ID crypt scheme from doveadm pw w/rounds != default [Sep 2018]

If this information is useful, please help other people find it:
Share via:

Keith Amidon

2018-Sep-26 06:12 UTC

Can't authenticate using ARGON2ID crypt scheme from doveadm pw w/rounds != default

I'm using dovecot version 2.3.2.1 (0719df592) and trying to use the
ARGON2ID crypt scheme for authentication using the passdb passwd-file
driver. My passdb config is very simple:

 ??? passdb {
 ????? driver = passwd-file
 ????? args = username_format=%u <path-to-file-here>
 ??? }

If I generate a password this way:

 ??? doveadm pw -s ARGON2ID -p 'This is a test'

I get a crypt value for the password that I can place in the password
file like:

testuser:{ARGON2ID}$argon2id$v=19$m=65536,t=3,p=1$UuqF25QtumNBe9R2FmUZvA$5avvHY5TIaj5Wl5C4k8BOI4bcmNei7BwPLlXYQVybMc

And if I test authentication with this command:

 ??? doveadm auth login testuser 'This is a test'

It works as shown by the (lightly redacted) log:

 ??? Sep 25 22:46:01 myhost dovecot[17538]: auth: Debug: auth client 
connected (pid=55417)
 ??? Sep 25 22:46:01 myhost dovecot[17538]: auth: Debug: client in: 
AUTH??????? 1??????? PLAIN service=doveadm??????? debug???????
resp=<hidden>
 ??? Sep 25 22:46:01 myhost dovecot[17538]: auth: Debug: 
passwd-file(testuser): lookup: user=testuser file=<path-to-passwd-file>
 ??? Sep 25 22:46:01 myhost dovecot[17538]: auth: Debug: client passdb 
out: OK??????? 1??????? user=testuser

However, if I instead specify a non-default number of rounds this way:

 ???? doveadm pw -s ARGON2ID -p 'This is a test' -r 7

and place the result in an entry in the password file like:

testuser:{ARGON2ID}$argon2id$v=19$m=1048576,t=7,p=1$kIhnUR13GrtOvvpbJNJmnQ$o7O6Whxs3s8IE09yY9S2dPkJjJyEVc78GRFilYVS9fU

Then testing authentication using the same command (repeated here):

 ??? doveadm auth login testuser 'This is a test'

then authentication fails, as shown by this (lightly redacted) log:

 ??? Sep 25 22:52:05 myhost dovecot[17538]: auth: Debug: auth client 
connected (pid=55557)
 ??? Sep 25 22:52:05 myhost dovecot[17538]: auth: Debug: client in: 
AUTH??????? 1??????? PLAIN service=doveadm??????? debug???????
resp=<hidden>
 ??? Sep 25 22:52:05 myhost dovecot[17538]: auth: Debug: passwd-file 
<path-to-passwd-file>: Read 3 users in 0 secs
 ??? Sep 25 22:52:05 myhost dovecot[17538]: auth: Debug: 
passwd-file(testuser): lookup: user=testuser file=<path-to-passwd-file>
 ??? Sep 25 22:52:05 myhost dovecot[17538]: auth: passwd-file(testuser): 
Password mismatch
 ??? Sep 25 22:52:07 myhost dovecot[17538]: auth: Debug: client passdb 
out: FAIL??????? 1??????? user=testuser

Experimentation with other values for the -r option has not produced
a value that works for me. Using the exact same procedure but the
BLF-CRYPT scheme, with varying number of rounds, does work.

Am I doing something wrong or is there a bug in either the
doveadm pw generation or the auth evaluation of the password?

I'd like to use ARGON2ID with ~6 rounds if I can make this work.
Any help would be greatly appreciated.

Thanks, Keith

Aki Tuomi

2018-Sep-26 09:42 UTC

head link

Can't authenticate using ARGON2ID crypt scheme from doveadm pw w/rounds != default

The reason it fails is because auth process runs out of memory and there
is a bug in libsodium which causes it to crash in this scenario. The fix
is to do

service auth {

? vsz_limit = 0 # or 2G at least

}

Aki


On 26.09.2018 09:12, Keith Amidon wrote:> I'm using dovecot version 2.3.2.1 (0719df592) and trying to use the
> ARGON2ID crypt scheme for authentication using the passdb passwd-file
> driver. My passdb config is very simple:
>
> ??? passdb {
> ????? driver = passwd-file
> ????? args = username_format=%u <path-to-file-here>
> ??? }
>
> If I generate a password this way:
>
> ??? doveadm pw -s ARGON2ID -p 'This is a test'
>
> I get a crypt value for the password that I can place in the password
> file like:
>
>
testuser:{ARGON2ID}$argon2id$v=19$m=65536,t=3,p=1$UuqF25QtumNBe9R2FmUZvA$5avvHY5TIaj5Wl5C4k8BOI4bcmNei7BwPLlXYQVybMc
>
>
> And if I test authentication with this command:
>
> ??? doveadm auth login testuser 'This is a test'
>
> It works as shown by the (lightly redacted) log:
>
> ??? Sep 25 22:46:01 myhost dovecot[17538]: auth: Debug: auth client
> connected (pid=55417)
> ??? Sep 25 22:46:01 myhost dovecot[17538]: auth: Debug: client in:
> AUTH??????? 1??????? PLAIN service=doveadm??????? debug???????
> resp=<hidden>
> ??? Sep 25 22:46:01 myhost dovecot[17538]: auth: Debug:
> passwd-file(testuser): lookup: user=testuser
file=<path-to-passwd-file>
> ??? Sep 25 22:46:01 myhost dovecot[17538]: auth: Debug: client passdb
> out: OK??????? 1??????? user=testuser
>
> However, if I instead specify a non-default number of rounds this way:
>
> ???? doveadm pw -s ARGON2ID -p 'This is a test' -r 7
>
> and place the result in an entry in the password file like:
>
>
testuser:{ARGON2ID}$argon2id$v=19$m=1048576,t=7,p=1$kIhnUR13GrtOvvpbJNJmnQ$o7O6Whxs3s8IE09yY9S2dPkJjJyEVc78GRFilYVS9fU
>
>
> Then testing authentication using the same command (repeated here):
>
> ??? doveadm auth login testuser 'This is a test'
>
> then authentication fails, as shown by this (lightly redacted) log:
>
> ??? Sep 25 22:52:05 myhost dovecot[17538]: auth: Debug: auth client
> connected (pid=55557)
> ??? Sep 25 22:52:05 myhost dovecot[17538]: auth: Debug: client in:
> AUTH??????? 1??????? PLAIN service=doveadm??????? debug???????
> resp=<hidden>
> ??? Sep 25 22:52:05 myhost dovecot[17538]: auth: Debug: passwd-file
> <path-to-passwd-file>: Read 3 users in 0 secs
> ??? Sep 25 22:52:05 myhost dovecot[17538]: auth: Debug:
> passwd-file(testuser): lookup: user=testuser
file=<path-to-passwd-file>
> ??? Sep 25 22:52:05 myhost dovecot[17538]: auth:
> passwd-file(testuser): Password mismatch
> ??? Sep 25 22:52:07 myhost dovecot[17538]: auth: Debug: client passdb
> out: FAIL??????? 1??????? user=testuser
>
> Experimentation with other values for the -r option has not produced
> a value that works for me. Using the exact same procedure but the
> BLF-CRYPT scheme, with varying number of rounds, does work.
>
> Am I doing something wrong or is there a bug in either the
> doveadm pw generation or the auth evaluation of the password?
>
> I'd like to use ARGON2ID with ~6 rounds if I can make this work.
> Any help would be greatly appreciated.
>
> Thanks, Keith
>

Keith Amidon

2018-Sep-27 03:23 UTC

head link

Can't authenticate using ARGON2ID crypt scheme from doveadm pw w/rounds != default

On 9/26/18 2:42 AM, Aki Tuomi wrote:> The reason it fails is because auth process runs out of memory and there
> is a bug in libsodium which causes it to crash in this scenario. The fix
> is to do
>
> service auth {
>
>  ? vsz_limit = 0 # or 2G at least
>
> }After testing this evening, I can confirm that this did
indeed resolve the problem. Thank you for the quick
response and accurate diagnosis!

Reasonably Related Threads

Search for more apparently analagous threads

dovecot - Sep 2018 - Can't authenticate using ARGON2ID crypt scheme from doveadm pw w/rounds != default

Can't authenticate using ARGON2ID crypt scheme from doveadm pw w/rounds != default

Can't authenticate using ARGON2ID crypt scheme from doveadm pw w/rounds != default

Can't authenticate using ARGON2ID crypt scheme from doveadm pw w/rounds != default

Reasonably Related Threads