Mercurial > dovecot > original-hg > dovecot-1.2
annotate doc/auth.txt @ 2810:74517c34a687 HEAD
Dovecot authentication protocol v1.0
author | Timo Sirainen <tss@iki.fi> |
---|---|
date | Fri, 22 Oct 2004 16:44:03 +0300 |
parents | 6d37e8554dbb |
children |
rev | line source |
---|---|
1214 | 1 Authentication is split into three parts: authentication mechanism, |
2 password database and user database. | |
0 | 3 |
1214 | 4 Currently supported authentication mechanisms: |
0 | 5 |
1214 | 6 - PLAIN: By itself it's very insecure, but through secured SSL/TLS |
0 | 7 connection it should be fine. |
1214 | 8 - DIGEST-MD5: Should be quite secure by itself. It also supports |
9 integrity protecting and crypting the rest of the communication, but | |
0 | 10 we don't support those yet. |
1879 | 11 - CRAM-MD5: Protects the secret in transit from eavesdroppers. Doesn't |
12 provide any integrity guarantees. | |
1440 | 13 - ANONYMOUS: No authentication required. User will be logged in as the user |
14 specified by auth_anonymous_username setting (default "anonymous"). There's | |
15 no special restrictions given for anonymous users so you have to make sure | |
16 it doesn't have access to unwanted locations. | |
0 | 17 |
1214 | 18 Currently supported password databases: |
0 | 19 |
20 - passwd: /etc/passwd or similiar, using getpwnam() | |
21 - shadow: /etc/shadow or similiar, using getspnam() | |
1214 | 22 - pam: Pluggable Authentication Modules |
23 - passwd-file: /etc/passwd-like file in specified location | |
24 - ldap: Lightweight Directory Access Protocol | |
429 | 25 - vpopmail: External software used to handle virtual domains |
1283
2d8af547a8b4
Added PostgreSQL support, patch by Alex Howansky
Timo Sirainen <tss@iki.fi>
parents:
1241
diff
changeset
|
26 - pgsql: A PostgreSQL database. |
0 | 27 |
1214 | 28 Currently supported user databases: |
29 | |
30 - passwd: /etc/passwd or similiar, using getpwnam() | |
31 - passwd-file: /etc/passwd-like file in specified location | |
32 - ldap: Lightweight Directory Access Protocol | |
33 - vpopmail: External software used to handle virtual domains | |
34 - static: Static UID and GID, home directory from given template | |
1283
2d8af547a8b4
Added PostgreSQL support, patch by Alex Howansky
Timo Sirainen <tss@iki.fi>
parents:
1241
diff
changeset
|
35 - pgsql: A PostgreSQL database. |
1214 | 36 |
37 Most password databases support only plaintext authentication. passwd-file | |
38 and LDAP exceptions since they support multiple password schemes. | |
39 | |
40 Password schemes supporting only plaintext authentication: | |
41 | |
42 - CRYPT: Use crypt(). Usually DES, but some systems support others too | |
43 (eg. MD5 and SHA1) | |
44 - MD5: MD5crypt algorithm, sometimes used in /etc/passwd and likes | |
45 - PLAIN-MD5: Simple MD5 sum of password. Used by libpam-pwdfile | |
46 | |
47 Password schemes supporting plaintext authentication and more: | |
48 | |
49 - PLAIN: Although not that good idea, it enables support for all current | |
50 and future authentication mechanisms. | |
1879 | 51 - HMAC-MD5: HMAC-MD5 context of password, for the CRAM-MD5 mechanism. |
1214 | 52 - DIGEST-MD5: MD5 sum of "user:realm:password", as required by DIGEST-MD5 |
53 mechanism. | |
54 | |
55 Realms (or virtual domains) are supported by appending the "@realm" after | |
56 the user name. This behaviour works with all authentication mechanisms and | |
57 databases. | |
0 | 58 |
1443
c96290faa106
Chrooting changes. Now all userdbs will support "<chroot>/./<homedir>" style
Timo Sirainen <tss@iki.fi>
parents:
1440
diff
changeset
|
59 Home directory can be prefixed with "<chroot>/./" in which case <chroot> |
c96290faa106
Chrooting changes. Now all userdbs will support "<chroot>/./<homedir>" style
Timo Sirainen <tss@iki.fi>
parents:
1440
diff
changeset
|
60 directory will be chrooted into. The actual home directory follows the |
c96290faa106
Chrooting changes. Now all userdbs will support "<chroot>/./<homedir>" style
Timo Sirainen <tss@iki.fi>
parents:
1440
diff
changeset
|
61 "/./". For example "/chroot/./home/user". |
c96290faa106
Chrooting changes. Now all userdbs will support "<chroot>/./<homedir>" style
Timo Sirainen <tss@iki.fi>
parents:
1440
diff
changeset
|
62 |
664 | 63 |
64 passwd | |
65 ------ | |
66 | |
1214 | 67 Most commonly used as user database. Many systems use shadow passwords |
68 nowadays so it doesn't usually work as password database. BSDs are an | |
69 exception to this, they still set the password field even with shadow | |
70 passwords. | |
664 | 71 |
72 | |
73 shadow | |
74 ------ | |
75 | |
1214 | 76 Works at least with Linux and Solaris. |
664 | 77 |
78 | |
1214 | 79 PAM |
664 | 80 --- |
81 | |
1214 | 82 We should work with Linux PAM, Solaris PAM, OpenPAM (FreeBSD) and |
83 ApplePAM (OSX). PAM doesn't provide user database, so you have to use | |
84 something else for that - passwd usually. | |
664 | 85 |
1578
ab2fb3c6a12b
Using "*" as PAM service name now uses imap/pop3 service.
Timo Sirainen <tss@iki.fi>
parents:
1443
diff
changeset
|
86 By default Dovecot uses "dovecot" service, ie. the PAM configuration is in |
ab2fb3c6a12b
Using "*" as PAM service name now uses imap/pop3 service.
Timo Sirainen <tss@iki.fi>
parents:
1443
diff
changeset
|
87 /etc/pam.d/dovecot file. You can override this by giving the wanted service |
ab2fb3c6a12b
Using "*" as PAM service name now uses imap/pop3 service.
Timo Sirainen <tss@iki.fi>
parents:
1443
diff
changeset
|
88 name as parameter for pam. For example "auth_passdb = pam dovecot2". If you |
ab2fb3c6a12b
Using "*" as PAM service name now uses imap/pop3 service.
Timo Sirainen <tss@iki.fi>
parents:
1443
diff
changeset
|
89 give "*" as service name, Dovecot uses "imap" service for IMAP connections |
ab2fb3c6a12b
Using "*" as PAM service name now uses imap/pop3 service.
Timo Sirainen <tss@iki.fi>
parents:
1443
diff
changeset
|
90 and "pop3" service for POP3 connections. |
ab2fb3c6a12b
Using "*" as PAM service name now uses imap/pop3 service.
Timo Sirainen <tss@iki.fi>
parents:
1443
diff
changeset
|
91 |
ab2fb3c6a12b
Using "*" as PAM service name now uses imap/pop3 service.
Timo Sirainen <tss@iki.fi>
parents:
1443
diff
changeset
|
92 Here's an example /etc/pam.d/dovecot configuration file which uses standard |
ab2fb3c6a12b
Using "*" as PAM service name now uses imap/pop3 service.
Timo Sirainen <tss@iki.fi>
parents:
1443
diff
changeset
|
93 UNIX authentication: |
664 | 94 |
1241
fc8fb4aa5c14
Use pam_unix as example instead of pam_pwdfile.
Timo Sirainen <tss@iki.fi>
parents:
1214
diff
changeset
|
95 auth required pam_unix.so nullok |
fc8fb4aa5c14
Use pam_unix as example instead of pam_pwdfile.
Timo Sirainen <tss@iki.fi>
parents:
1214
diff
changeset
|
96 account required pam_unix.so |
664 | 97 |
98 | |
0 | 99 passwd-file |
100 ----------- | |
101 | |
102 This is compatible with regular /etc/passwd, and a password file used by | |
103 libpam-pwdfile. It's in the following format: | |
104 | |
1214 | 105 user:password:uid:gid:(gecos):home:(shell):flags:mail |
0 | 106 |
1214 | 107 For password database, it's enough to have only user and password fields. |
108 For user database, you need to set also uid, gid and either home or mail. | |
0 | 109 |
110 Flags is a comma-separated list of flags, currently only recognized value | |
111 is "chroot", which makes the imap process chroot into home directory, if | |
1214 | 112 allowed by master process. |
113 | |
114 The password field can be in three formats: | |
0 | 115 |
1214 | 116 - password: Assume CRYPT scheme |
117 - password[type]: libpam-passwd file compatible format. Type is one of: | |
118 13: CRYPT scheme | |
119 34: MD5 scheme | |
120 56: DIGEST-MD5 scheme (Dovecot extension, deprecated) | |
121 - {SCHEME}password | |
122 | |
0 | 123 |
1214 | 124 LDAP |
125 ---- | |
126 | |
127 See dovecot-ldap.conf for more information. Password and user databases may | |
128 use different configuration files to keep the information in separate | |
129 locations. If both refer to same file, they share the same LDAP connection. | |
0 | 130 |
131 | |
1214 | 132 vpopmail |
133 -------- | |
134 | |
135 This is an external software intended to make handling virtual domains | |
136 easier. Supports Qmail and Postfix. See http://inter7.com/vpopmail.html | |
0 | 137 |
904 | 138 |
1214 | 139 static |
140 ------ | |
141 | |
142 static uid=<uid> gid=<gid> home=<dir template> | |
904 | 143 |
1214 | 144 All users share the same UID and GID. Home directory template can use %u, |
145 %n and %d variables, see default_mail_env description in dovecot-example.conf. | |
904 | 146 |
1214 | 147 |
1283
2d8af547a8b4
Added PostgreSQL support, patch by Alex Howansky
Timo Sirainen <tss@iki.fi>
parents:
1241
diff
changeset
|
148 PostgreSQL |
2d8af547a8b4
Added PostgreSQL support, patch by Alex Howansky
Timo Sirainen <tss@iki.fi>
parents:
1241
diff
changeset
|
149 ---------- |
2d8af547a8b4
Added PostgreSQL support, patch by Alex Howansky
Timo Sirainen <tss@iki.fi>
parents:
1241
diff
changeset
|
150 |
2d8af547a8b4
Added PostgreSQL support, patch by Alex Howansky
Timo Sirainen <tss@iki.fi>
parents:
1241
diff
changeset
|
151 See dovecot-pgsql.conf for more information. Password and user databases may |
2d8af547a8b4
Added PostgreSQL support, patch by Alex Howansky
Timo Sirainen <tss@iki.fi>
parents:
1241
diff
changeset
|
152 use different configuration files to keep the information in separate |
2d8af547a8b4
Added PostgreSQL support, patch by Alex Howansky
Timo Sirainen <tss@iki.fi>
parents:
1241
diff
changeset
|
153 locations. If both refer to same file, they share the same PostgreSQL |
2d8af547a8b4
Added PostgreSQL support, patch by Alex Howansky
Timo Sirainen <tss@iki.fi>
parents:
1241
diff
changeset
|
154 connection. |
2d8af547a8b4
Added PostgreSQL support, patch by Alex Howansky
Timo Sirainen <tss@iki.fi>
parents:
1241
diff
changeset
|
155 |
2d8af547a8b4
Added PostgreSQL support, patch by Alex Howansky
Timo Sirainen <tss@iki.fi>
parents:
1241
diff
changeset
|
156 |
1214 | 157 Generating passwords |
158 -------------------- | |
0 | 159 |
1214 | 160 DES: |
161 mkpasswd | |
162 perl -e 'printf "%s\n", crypt("pass", "two-letter-salt")' | |
0 | 163 |
1214 | 164 MD5: |
165 mkpasswd --hash=md5 | |
166 perl -e 'printf "%s\n", crypt("pass", "\$1\$6-8-letter-salt\$")' | |
904 | 167 |
1214 | 168 PLAIN-MD5: |
169 perl -MDigest::MD5 -e 'printf "{PLAIN-MD5}%s\n", Digest::MD5::md5_hex("pass")' | |
904 | 170 |
1214 | 171 DIGEST-MD5: |
172 perl -MDigest::MD5 -e 'printf "{DIGEST-MD5}%s\n", Digest::MD5::md5_hex("user:realm:pass")' |