search for: auth_policy_hash_nonc

...ilable for the (probably trivial) configuration needed for Dovecot and Wforce? I'm probably missing something that should be perfectly obvious... Wforce appears to start without errors. I added a file to dovecot's conf.d: 95-policy.conf: auth_policy_server_url = http://localhost:8084/ auth_policy_hash_nonce = this_is_my_super_secret_something Looking at the Wforce console I see: WforceWebserver: HTTP Request "/" from 127.0.0.1:45108: Web Authentication failed In wforce.conf I have the (default): webserver("0.0.0.0:8084", "--WEBPWD") Do I need to change the "--...

Hi Aki, I've configured in this way: vm-weakforced:~# printf 'wforce:super' | base64 d2ZvcmNlOnN1cGVy vm-weakforced:~# cat /etc/dovecot/conf.d/95-policy.conf auth_policy_server_url = http://localhost:8084/ auth_policy_hash_nonce = some random string auth_policy_server_api_header = "Authorization: Basic d2ZvcmNlOnN1cGVy With the same result... > WforceWebserver: HTTP Request "/" from 127.0.0.1:39752: Web Authentication failed WforceWebserver: HTTP Request "/" from 127.0.0.1:39752: Web Authe...

...h a wforce daemon on the remote side. wforce is latest released from git repo. Daemon part is working and I can successfully send queries from remote systems to wforce via curl For dovecot I configured in /etc/dovecot/conf.d/95-wforce.conf > auth_policy_server_url = http://REMOTE_IP:8084/ > auth_policy_hash_nonce = my_random > auth_policy_server_api_header = Authorization: Basic <BASE64 of wforce:my_password> > auth_policy_request_attributes = login=%{requested_username} pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s restarted dovecot without errors, but upon testin...

...log in policy server. This is the config: /root/weakforced/wforce/wforce.conf ----------------------------------- ... webserver("0.0.0.0:8084", "super") ... /etc/dovecot/conf.d/95-policy.conf ---------------------------------- auth_policy_server_url = http://localhost:8084/ #auth_policy_hash_nonce = wforce:super auth_policy_hash_nonce = {SHA256-CRYPT}$5$Ue5UrToV.Bam02bQ$Bi9OJ62Mkgc20L2HnLVmD2OCHyXaKje6Hh7qNjnOkB9 I'm following the instructions of Dovecot's wiki: https://wiki.dovecot.org/Authentication/Policy ... "To generate the hash, you concatenate nonce, login name, nil by...

....info> wrote: > > > Hi Aki, > > I've configured in this way: > > vm-weakforced:~# printf 'wforce:super' | base64 > d2ZvcmNlOnN1cGVy > > vm-weakforced:~# cat /etc/dovecot/conf.d/95-policy.conf > auth_policy_server_url = http://localhost:8084/ > auth_policy_hash_nonce = some random string > auth_policy_server_api_header = "Authorization: Basic d2ZvcmNlOnN1cGVy > > With the same result... > > > WforceWebserver: HTTP Request "/" from 127.0.0.1:39752: Web > Authentication failed > WforceWebserver: HTTP Request "/&quo...

I took suggestions from https://forge.puppet.com/fraenki/wforce to set these in /etc/dovecot/conf.d/95-auth.conf auth_policy_server_url = http://localhost:8084/ auth_policy_hash_nonce = our_password auth_policy_server_api_header = "Authorization: Basic hash_from_running_echo-n_base64" auth_policy_server_timeout_msecs = 2000 auth_policy_hash_mech = sha256 auth_policy_request_attributes = login=%{requested_username} pwhash=%{hashed_password} remote=%{rip} device_id=%{cl...

We are sorry to report that we have a bug in dovecot, which merits a CVE. See details below. If you haven't configured any auth_policy_* settings you are ok. This is fixed with https://git.dovecot.net/dovecot/core/commit/c3d3faa4f72a676e183f34be960cff13a5a725ae and https://git.dovecot.net/dovecot/core/commit/99abb1302ae693ccdfe0d57351fd42c67a8612fc Important vulnerability in Dovecot

...running on Fedora 29. I'd like to test wforce, from https://github.com/PowerDNS/weakforced. I see instructions at the Authentication policy support page, https://wiki2.dovecot.org/Authentication/Policy I see the Required Minimum Configuration: auth_policy_server_url = http://example.com:4001/ auth_policy_hash_nonce = localized_random_string But when I search for these directives, they're not found: grep auth_policy_server_url /etc/dovecot/conf.d/* Are these to be added to the /etc/dovecot/conf.d/10-auth.conf file? Does anyone know if a good tutorial? -------------- next part -------------- An HTML atta...

wforce is the username always. auth_policy_hash_nonce should be set to a pseudorandom value that is shared by your server(s). Weakforced does not need it for anything. auth_policy_server_api_header should be set to Authorization: Basic <echo -n wforce:our_password | base64> without the < >. Aki On 6.3.2019 20.42, Robert Kudyba via dov...

Hi! You configure it like this: auth_policy_server_url = http://localhost:8084/ auth_policy_hash_nonce = some random string auth_policy_server_api_header = "Authorization: Basic d2ZvcmNlOkJydHpUNlRuTkZ4UUU=" the authorization blob is basically printf 'wforce:super' | base64 Aki > On 16 January 2019 at 10:06 alberto bersol <alberto at bersol.info> wrote: > > &g...

...;,"pwhash":"68","remote":"127.0.0.1","success":true,"policy_reject":false,"tls":false} > On Mar 7, 2019, at 2:42 AM, Aki Tuomi <aki.tuomi at open-xchange.com> wrote: > > wforce is the username always. > > auth_policy_hash_nonce should be set to a pseudorandom value that is shared by your server(s). Weakforced does not need it for anything. > > auth_policy_server_api_header should be set to Authorization: Basic <echo -n wforce:our_password | base64> > > without the < >. > Aki > On 6.3.2019...

...D 702911 mail.error] auth: Error: AAAAAAAAAAAAAAAAAAAAAAAAAAAA context->request == NULL ...so context->result is not null before the call (no 222) to i_stream_unref but is after. dovecot.conf has: auth_policy_server_url = http://policyserver.lan/ auth_policy_server_timeout_msecs = 3000 auth_policy_hash_nonce = Ohr9phaeSeip2Pahaez2raiGohxoo5Ia auth_policy_request_attributes = remote=%{rip} auth_policy_check_before_auth = yes auth_policy_check_after_auth = yes auth_policy_report_after_auth = yes To simplify the problem I used a dummy policy server, in nginx.conf: location / { default_ty...

> On December 3, 2016 at 9:11 PM "Jeremiah C. Foster" <jeremiah at jeremiahfoster.com> wrote: > > > On Sat, 2016-12-03 at 12:23 +1000, Noel Butler wrote: > > On 03/12/2016 12:08, Jeremiah C. Foster wrote: > > > > > On Fri, 2016-12-02 at 10:48 +0200, Aki Tuomi wrote: > > > On 02.12.2016 10:45, Jonas Wielicki wrote: On Freitag, 2.

...e":"127.0.0.1","success":true,"policy_reject":false,"tls":false} > > > > > > On Mar 7, 2019, at 2:42 AM, Aki Tuomi <aki.tuomi at open-xchange.com> wrote: > > > > > > wforce is the username always. > > auth_policy_hash_nonce should be set to a pseudorandom value that is shared by your server(s). Weakforced does not need it for anything. > > auth_policy_server_api_header should be set to Authorization: Basic <echo -n wforce:our_password | base64> > > without the < >. > > > > Aki &gt...

...# 2.3.10.1 (a3d0e1171): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.10 (67bf5bd7) # OS: Linux 5.4.44-2-pve x86_64 Debian 10.4 # Hostname: mail.xxx.xxx auth_cache_size = 2 M auth_cache_ttl = 5 mins auth_master_user_separator = * auth_mechanisms = plain login auth_policy_check_before_auth = no auth_policy_hash_nonce = # hidden, use -P to show it auth_policy_report_after_auth = no auth_policy_server_timeout_msecs = 1500 auth_policy_server_url = http://127.0.0.1:8090/ dict { acl = pgsql:/etc/dovecot/dovecot-dict-sql.conf.ext quota = pgsql:/etc/dovecot/dovecot-dict-sql.conf.ext } disable_plaintext_auth = n...

...> ># 2.3.9.3 (9f41b88fa): /usr/local/etc/dovecot/dovecot.conf ># Pigeonhole version 0.5.9 (db4e9a2f) ># OS: Linux 5.3.0-28-generic x86_64 Ubuntu 18.04.4 LTS ># Hostname: bubba.amfes.lan >auth_cache_size = 4 k >auth_master_user_separator = * >auth_mechanisms = plain login >auth_policy_hash_nonce = # hidden, use -P to show it >auth_policy_hash_truncate = 8 >auth_policy_server_api_header = Authorization: Basic d2ZvcmNlOnVsdHJhLXNlY3JldC1zZWN1cmUtc2FmZQ >default_login_user = nobody >default_vsz_limit = 2 G >disable_plaintext_auth = no >imap_client_workarounds = tb-extra-mai...

...e. > This can be done by commenting out all auth_policy_* settings. Hello, could you be more verbose on how to verify if administrators are affected? # doveconf -n | grep auth_policy_ | wc -l 0 but there /are/ default settings: # doveconf -d | grep auth_policy_ auth_policy_hash_mech = sha256 auth_policy_hash_nonce = auth_policy_hash_truncate = 12 auth_policy_reject_on_fail = no auth_policy_request_attributes = login=%{orig_username} pwhash=%{hashed_password} remote=%{real_rip} auth_policy_server_api_header = auth_policy_server_timeout_msecs = 2000 auth_policy_server_url = Is such setup vulnerable? Than...

...am affected, and if I am affected to mitigate or patch the problem. In this thread there was a discussion about checking via the doveconf tool; doveconf -n | grep auth_policy_ | wc -l. Is this the best approach? Then I imagine I need to check "the critical values auth_policy_server_url and auth_policy_hash_nonce" to see if those are set. If they are set what does one do? I guess that question is better asked once I've determined that I'm affected. Thanks, Jeremiah > > Aki

...vial) configuration needed for Dovecot and Wforce? I'm probably missing something that should be perfectly obvious... > > Wforce appears to start without errors. I added a file to dovecot's conf.d: > > 95-policy.conf: > auth_policy_server_url = http://localhost:8084/ > auth_policy_hash_nonce = this_is_my_super_secret_something > > Looking at the Wforce console I see: > > WforceWebserver: HTTP Request "/" from 127.0.0.1:45108: Web Authentication failed > > In wforce.conf I have the (default): > > webserver("0.0.0.0:8084", "--WEBPWD&q...

...ng >>> something that should be perfectly obvious... >>> >>> Wforce appears to start without errors. I added a file to dovecot's >>> conf.d: >>> >>> 95-policy.conf: >>> auth_policy_server_url = http://localhost:8084/ >>> auth_policy_hash_nonce = this_is_my_super_secret_something >>> >>> Looking at the Wforce console I see: >>> >>> WforceWebserver: HTTP Request "/" from 127.0.0.1:45108: Web >>> Authentication failed >>> >>> In wforce.conf I have the (default): >...