Jesús Ángel del Pozo Domínguez
2021-Jun-17 10:00 UTC
Multiple non-plaintext mechanisms using multiple passdbs.
Hi there,
Although I have set up TLS in my Dovecot installation, I would like to
also set up some non-plaintext authentication mechanism, specifically
CRAM-MD5 and SCRAM-SHA-1.
As I read in the documents, "The problem with non-plaintext auth
mechanisms is that the password must be stored either in plaintext, or
using a mechanism-specific scheme that?s incompatible with all other
non-plaintext mechanisms".
I will not be storing the user's passwords in plaintext, so I will have
to use different mechanism-specific hash schemes. I was wondering
whether it would be possible to have several auth databases, one for
each non-plaintext mechanism. Well, in reality, I will have just one
database with multiple hashes: SHA512-CRYPT, CRAM-MD5 and SCRAM-SHA-1
but then I am going to set up three different passdb instances in
dovecot, each one with its own SQL configuration.
For example:
passdb {
driver = sql
args = /etc/dovecot/dovecot-sql-plain.conf.ext
}
passdb {
driver = sql
args = /etc/dovecot/dovecot-sql-cram-md5.conf.ext
}
passdb {
driver = sql
args = /etc/dovecot/dovecot-sql-scram-sha-1.conf.ext
}
Most users would use TLS and PLAIN as authentication mechanism so the
last two password databases will not be used at all. However, those
users using CRAM-MD5 or SCRAM-SHA-1 would try the other databases.
My users table would be somewhat like this:
CREATE TABLE users (
username VARCHAR(128) NOT NULL,
domain VARCHAR(128) NOT NULL,
password VARCHAR(77) NOT NULL,
password_cram_md5 VARCHAR(74) NOT NULL,
password_scram_sha_1 VARCHAR(100) NOT NULL,
home VARCHAR(255) NOT NULL,
uid INTEGER NOT NULL,
gid INTEGER NOT NULL,
active CHAR(1) DEFAULT 'Y' NOT NULL
);
username: foo at bar.com
domain: bar.com
password: {SHA512-CRYPT}$6$Mih5.y90z...CqxX2LxfMJMqoC42NvBK1
password_cram_md5: {CRAM-MD5}a457...2a74f63442e7473e9576cf2e
password_scram_sha_1: {SCRAM-SHA-1}4096,4...9AYjadouwXqiqc3UM
Obviously, the SQL query in each dovecot-sql-....ext file would be
different. For instance:
/etc/dovecot/dovecot-sql-plain.conf.ext
default_pass_scheme = SHA512-CRYPT
password_query = \
SELECT username, domain, password, home AS userdb_home, uid AS
userdb_uid FROM users WHERE username = '%n' AND domain = '%d'
/etc/dovecot/dovecot-sql-cram-md5.conf.ext
default_pass_scheme = CRAM-MD5
password_query = \
SELECT username, domain, password_cram_md5 AS password, home AS
userdb_home, uid AS userdb_uid FROM users WHERE username = '%n' AND
domain = '%d'
/etc/dovecot/dovecot-sql-scram-sha-1.conf.ext
default_pass_scheme = SCRAM-SHA-1
password_query = \
SELECT username, domain, password_scram_sha_1 AS password, home AS
userdb_home, uid AS userdb_uid FROM users WHERE username = '%n' AND
domain = '%d'
Could you please tell me whether this set up would work? Do you believe
is worth the complexity or maybe I had better keep it more simple and
use just PLAIN auth with TLS?
Cheers,
Jes?s ?ngel
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20210617/44aaf2b4/attachment.html>