Mercurial > dovecot > core-2.2
annotate doc/auth.txt @ 1741:9df02b1533b3 HEAD
Removed most of the license comments from src/lib/*.c. It's just fine to
keep them in a single COPYING.MIT file. Changed a few other comments as well.
author | Timo Sirainen <tss@iki.fi> |
---|---|
date | Wed, 27 Aug 2003 00:18:16 +0300 |
parents | ab2fb3c6a12b |
children | 6d37e8554dbb |
rev | line source |
---|---|
1214 | 1 Authentication is split into three parts: authentication mechanism, |
2 password database and user database. | |
0 | 3 |
1214 | 4 Currently supported authentication mechanisms: |
0 | 5 |
1214 | 6 - PLAIN: By itself it's very insecure, but through secured SSL/TLS |
0 | 7 connection it should be fine. |
1214 | 8 - DIGEST-MD5: Should be quite secure by itself. It also supports |
9 integrity protecting and crypting the rest of the communication, but | |
0 | 10 we don't support those yet. |
1440 | 11 - ANONYMOUS: No authentication required. User will be logged in as the user |
12 specified by auth_anonymous_username setting (default "anonymous"). There's | |
13 no special restrictions given for anonymous users so you have to make sure | |
14 it doesn't have access to unwanted locations. | |
0 | 15 |
1214 | 16 Currently supported password databases: |
0 | 17 |
18 - passwd: /etc/passwd or similiar, using getpwnam() | |
19 - shadow: /etc/shadow or similiar, using getspnam() | |
1214 | 20 - pam: Pluggable Authentication Modules |
21 - passwd-file: /etc/passwd-like file in specified location | |
22 - ldap: Lightweight Directory Access Protocol | |
429 | 23 - vpopmail: External software used to handle virtual domains |
1283
2d8af547a8b4
Added PostgreSQL support, patch by Alex Howansky
Timo Sirainen <tss@iki.fi>
parents:
1241
diff
changeset
|
24 - pgsql: A PostgreSQL database. |
0 | 25 |
1214 | 26 Currently supported user databases: |
27 | |
28 - passwd: /etc/passwd or similiar, using getpwnam() | |
29 - passwd-file: /etc/passwd-like file in specified location | |
30 - ldap: Lightweight Directory Access Protocol | |
31 - vpopmail: External software used to handle virtual domains | |
32 - static: Static UID and GID, home directory from given template | |
1283
2d8af547a8b4
Added PostgreSQL support, patch by Alex Howansky
Timo Sirainen <tss@iki.fi>
parents:
1241
diff
changeset
|
33 - pgsql: A PostgreSQL database. |
1214 | 34 |
35 Most password databases support only plaintext authentication. passwd-file | |
36 and LDAP exceptions since they support multiple password schemes. | |
37 | |
38 Password schemes supporting only plaintext authentication: | |
39 | |
40 - CRYPT: Use crypt(). Usually DES, but some systems support others too | |
41 (eg. MD5 and SHA1) | |
42 - MD5: MD5crypt algorithm, sometimes used in /etc/passwd and likes | |
43 - PLAIN-MD5: Simple MD5 sum of password. Used by libpam-pwdfile | |
44 | |
45 Password schemes supporting plaintext authentication and more: | |
46 | |
47 - PLAIN: Although not that good idea, it enables support for all current | |
48 and future authentication mechanisms. | |
49 - DIGEST-MD5: MD5 sum of "user:realm:password", as required by DIGEST-MD5 | |
50 mechanism. | |
51 | |
52 Realms (or virtual domains) are supported by appending the "@realm" after | |
53 the user name. This behaviour works with all authentication mechanisms and | |
54 databases. | |
0 | 55 |
1443
c96290faa106
Chrooting changes. Now all userdbs will support "<chroot>/./<homedir>" style
Timo Sirainen <tss@iki.fi>
parents:
1440
diff
changeset
|
56 Home directory can be prefixed with "<chroot>/./" in which case <chroot> |
c96290faa106
Chrooting changes. Now all userdbs will support "<chroot>/./<homedir>" style
Timo Sirainen <tss@iki.fi>
parents:
1440
diff
changeset
|
57 directory will be chrooted into. The actual home directory follows the |
c96290faa106
Chrooting changes. Now all userdbs will support "<chroot>/./<homedir>" style
Timo Sirainen <tss@iki.fi>
parents:
1440
diff
changeset
|
58 "/./". For example "/chroot/./home/user". |
c96290faa106
Chrooting changes. Now all userdbs will support "<chroot>/./<homedir>" style
Timo Sirainen <tss@iki.fi>
parents:
1440
diff
changeset
|
59 |
664 | 60 |
61 passwd | |
62 ------ | |
63 | |
1214 | 64 Most commonly used as user database. Many systems use shadow passwords |
65 nowadays so it doesn't usually work as password database. BSDs are an | |
66 exception to this, they still set the password field even with shadow | |
67 passwords. | |
664 | 68 |
69 | |
70 shadow | |
71 ------ | |
72 | |
1214 | 73 Works at least with Linux and Solaris. |
664 | 74 |
75 | |
1214 | 76 PAM |
664 | 77 --- |
78 | |
1214 | 79 We should work with Linux PAM, Solaris PAM, OpenPAM (FreeBSD) and |
80 ApplePAM (OSX). PAM doesn't provide user database, so you have to use | |
81 something else for that - passwd usually. | |
664 | 82 |
1578
ab2fb3c6a12b
Using "*" as PAM service name now uses imap/pop3 service.
Timo Sirainen <tss@iki.fi>
parents:
1443
diff
changeset
|
83 By default Dovecot uses "dovecot" service, ie. the PAM configuration is in |
ab2fb3c6a12b
Using "*" as PAM service name now uses imap/pop3 service.
Timo Sirainen <tss@iki.fi>
parents:
1443
diff
changeset
|
84 /etc/pam.d/dovecot file. You can override this by giving the wanted service |
ab2fb3c6a12b
Using "*" as PAM service name now uses imap/pop3 service.
Timo Sirainen <tss@iki.fi>
parents:
1443
diff
changeset
|
85 name as parameter for pam. For example "auth_passdb = pam dovecot2". If you |
ab2fb3c6a12b
Using "*" as PAM service name now uses imap/pop3 service.
Timo Sirainen <tss@iki.fi>
parents:
1443
diff
changeset
|
86 give "*" as service name, Dovecot uses "imap" service for IMAP connections |
ab2fb3c6a12b
Using "*" as PAM service name now uses imap/pop3 service.
Timo Sirainen <tss@iki.fi>
parents:
1443
diff
changeset
|
87 and "pop3" service for POP3 connections. |
ab2fb3c6a12b
Using "*" as PAM service name now uses imap/pop3 service.
Timo Sirainen <tss@iki.fi>
parents:
1443
diff
changeset
|
88 |
ab2fb3c6a12b
Using "*" as PAM service name now uses imap/pop3 service.
Timo Sirainen <tss@iki.fi>
parents:
1443
diff
changeset
|
89 Here's an example /etc/pam.d/dovecot configuration file which uses standard |
ab2fb3c6a12b
Using "*" as PAM service name now uses imap/pop3 service.
Timo Sirainen <tss@iki.fi>
parents:
1443
diff
changeset
|
90 UNIX authentication: |
664 | 91 |
1241
fc8fb4aa5c14
Use pam_unix as example instead of pam_pwdfile.
Timo Sirainen <tss@iki.fi>
parents:
1214
diff
changeset
|
92 auth required pam_unix.so nullok |
fc8fb4aa5c14
Use pam_unix as example instead of pam_pwdfile.
Timo Sirainen <tss@iki.fi>
parents:
1214
diff
changeset
|
93 account required pam_unix.so |
664 | 94 |
95 | |
0 | 96 passwd-file |
97 ----------- | |
98 | |
99 This is compatible with regular /etc/passwd, and a password file used by | |
100 libpam-pwdfile. It's in the following format: | |
101 | |
1214 | 102 user:password:uid:gid:(gecos):home:(shell):flags:mail |
0 | 103 |
1214 | 104 For password database, it's enough to have only user and password fields. |
105 For user database, you need to set also uid, gid and either home or mail. | |
0 | 106 |
107 Flags is a comma-separated list of flags, currently only recognized value | |
108 is "chroot", which makes the imap process chroot into home directory, if | |
1214 | 109 allowed by master process. |
110 | |
111 The password field can be in three formats: | |
0 | 112 |
1214 | 113 - password: Assume CRYPT scheme |
114 - password[type]: libpam-passwd file compatible format. Type is one of: | |
115 13: CRYPT scheme | |
116 34: MD5 scheme | |
117 56: DIGEST-MD5 scheme (Dovecot extension, deprecated) | |
118 - {SCHEME}password | |
119 | |
0 | 120 |
1214 | 121 LDAP |
122 ---- | |
123 | |
124 See dovecot-ldap.conf for more information. Password and user databases may | |
125 use different configuration files to keep the information in separate | |
126 locations. If both refer to same file, they share the same LDAP connection. | |
0 | 127 |
128 | |
1214 | 129 vpopmail |
130 -------- | |
131 | |
132 This is an external software intended to make handling virtual domains | |
133 easier. Supports Qmail and Postfix. See http://inter7.com/vpopmail.html | |
0 | 134 |
904 | 135 |
1214 | 136 static |
137 ------ | |
138 | |
139 static uid=<uid> gid=<gid> home=<dir template> | |
904 | 140 |
1214 | 141 All users share the same UID and GID. Home directory template can use %u, |
142 %n and %d variables, see default_mail_env description in dovecot-example.conf. | |
904 | 143 |
1214 | 144 |
1283
2d8af547a8b4
Added PostgreSQL support, patch by Alex Howansky
Timo Sirainen <tss@iki.fi>
parents:
1241
diff
changeset
|
145 PostgreSQL |
2d8af547a8b4
Added PostgreSQL support, patch by Alex Howansky
Timo Sirainen <tss@iki.fi>
parents:
1241
diff
changeset
|
146 ---------- |
2d8af547a8b4
Added PostgreSQL support, patch by Alex Howansky
Timo Sirainen <tss@iki.fi>
parents:
1241
diff
changeset
|
147 |
2d8af547a8b4
Added PostgreSQL support, patch by Alex Howansky
Timo Sirainen <tss@iki.fi>
parents:
1241
diff
changeset
|
148 See dovecot-pgsql.conf for more information. Password and user databases may |
2d8af547a8b4
Added PostgreSQL support, patch by Alex Howansky
Timo Sirainen <tss@iki.fi>
parents:
1241
diff
changeset
|
149 use different configuration files to keep the information in separate |
2d8af547a8b4
Added PostgreSQL support, patch by Alex Howansky
Timo Sirainen <tss@iki.fi>
parents:
1241
diff
changeset
|
150 locations. If both refer to same file, they share the same PostgreSQL |
2d8af547a8b4
Added PostgreSQL support, patch by Alex Howansky
Timo Sirainen <tss@iki.fi>
parents:
1241
diff
changeset
|
151 connection. |
2d8af547a8b4
Added PostgreSQL support, patch by Alex Howansky
Timo Sirainen <tss@iki.fi>
parents:
1241
diff
changeset
|
152 |
2d8af547a8b4
Added PostgreSQL support, patch by Alex Howansky
Timo Sirainen <tss@iki.fi>
parents:
1241
diff
changeset
|
153 |
1214 | 154 Generating passwords |
155 -------------------- | |
0 | 156 |
1214 | 157 DES: |
158 mkpasswd | |
159 perl -e 'printf "%s\n", crypt("pass", "two-letter-salt")' | |
0 | 160 |
1214 | 161 MD5: |
162 mkpasswd --hash=md5 | |
163 perl -e 'printf "%s\n", crypt("pass", "\$1\$6-8-letter-salt\$")' | |
904 | 164 |
1214 | 165 PLAIN-MD5: |
166 perl -MDigest::MD5 -e 'printf "{PLAIN-MD5}%s\n", Digest::MD5::md5_hex("pass")' | |
904 | 167 |
1214 | 168 DIGEST-MD5: |
169 perl -MDigest::MD5 -e 'printf "{DIGEST-MD5}%s\n", Digest::MD5::md5_hex("user:realm:pass")' |