This documentation is for Dovecot v1.x, see wiki2 for v2.x documentation.
Differences between revisions 1 and 5 (spanning 4 versions)
Revision 1 as of 2006-05-12 23:25:25
Size: 2126
Editor: TimoSirainen
Comment:
Revision 5 as of 2006-12-16 13:41:57
Size: 3139
Editor: TimoSirainen
Comment:
Deletions are marked like this. Additions are marked like this.
Line 3: Line 3:
Passwords can be stored in [wiki:PasswordDatabase password databases] in many different formats. Usually they should be stored encrypted just to make sure that if an attacker gets into your computer he can't easily read everyone's passwords.
Line 4: Line 5:
Passwords can be stored in password database in many different formats. Usually they should be stored encrypted just to make sure if an attacker gets into your computer he can't easily read everyone's passwords. With non-plaintext [wiki:Authentication/Mechanisms authentication mechanisms] you either have to store the password in a mechanism-specific format (which is incompatible with all other auth mechanisms except plaintext ones), or you'll have to store the passwords as plaintext. Usually you don't have to worry about this if you don't want to, because most clients don't support anything else than plaintext authentication anyway. Encrypting the connection with SSL gives the necessary protection for the passwords.
Line 6: Line 7:
With non-PLAIN authentication mechanisms you either have to store the password in their special format (which is incompatible with everything else except PLAIN), or you'll have to store the passwords as plaintext. With plaintext auth mechanisms it doesn't matter in which format the password is stored locally, because Dovecot will internally encrypt the sent plaintext password to match the storage scheme.
Line 8: Line 9:
With PLAIN mechanism it doesn't matter in which format the password is stored locally, because Dovecot will internally encrypt the sent plaintext password to match the storage scheme.

Often you already have the passwords in some specific format, so best idea is to just keep using them. Otherwise just pick one to use, for example SHA1.
Often you already have the passwords in some specific format, so the best idea is to just keep using them. Otherwise just pick one to use, for example SSHA.
Line 19: Line 18:
 * MD5: MD5crypt. Another format historically used in `/etc/passwd`.  * MD5-CRYPT: MD5 crypt. Another format historically used in `/etc/passwd`.
  * MD5: Deprecated name for MD5-CRYPT. The password isn't really in a standard MD5 format (like PLAIN-MD5 is).
Line 23: Line 23:
 * HMAC-MD5: Use with CRAM-MD5 mechanism.
 * DIGEST-MD5: Use with DIGEST-MD5 mechanism.
 * CRAM-MD5: Use with CRAM-MD5 mechanism (v1.0.rc16 and later)
  * HMAC-MD5: Deprecated name for CRAM-MD5. The password isn't really in a standard HMAC-MD5 format.
 * DIGEST-MD5: Use with DIGEST-MD5 mechanism. The username is included in the hash, so it's not possible to use the hash for different usernames.
Line 32: Line 33:
Default password scheme can usually be specified for password database. You can override it by prefixing password with {SCHEME}. For example "{PLAIN}password". Note that not all password databases support changing the scheme. With some you might cause incompatibilities with other software using it (eg. passwd, shadow) and with others it simply isn't possible at all because of the way they work (eg. PAM). Default password scheme can usually be specified for password database. You can override it by prefixing the password with {SCHEME}, for example `{PLAIN}password`. Note that not all [wiki:PasswordDatabase password databases] support changing the scheme. With some you might cause incompatibilities with other software using it (eg. [wiki:AuthDatabase/Passwd passwd], [wiki:PasswordDatabase/Shadow shadow]) and with others it simply isn't possible at all because of the way they work (eg. [wiki:PasswordDatabase/PAM PAM]).
Line 35: Line 36:

For some schemes (eg. PLAIN-MD5, SHA) Dovecot is able to detect if the password hash is base64 or hex encoded, so both can be used. `dovecotpw` anyway generates the passwords using the encoding mentioned above.

Password Schemes

Passwords can be stored in [wiki:PasswordDatabase password databases] in many different formats. Usually they should be stored encrypted just to make sure that if an attacker gets into your computer he can't easily read everyone's passwords.

With non-plaintext [wiki:Authentication/Mechanisms authentication mechanisms] you either have to store the password in a mechanism-specific format (which is incompatible with all other auth mechanisms except plaintext ones), or you'll have to store the passwords as plaintext. Usually you don't have to worry about this if you don't want to, because most clients don't support anything else than plaintext authentication anyway. Encrypting the connection with SSL gives the necessary protection for the passwords.

With plaintext auth mechanisms it doesn't matter in which format the password is stored locally, because Dovecot will internally encrypt the sent plaintext password to match the storage scheme.

Often you already have the passwords in some specific format, so the best idea is to just keep using them. Otherwise just pick one to use, for example SSHA.

Currently supported password schemes are:

  • CRYPT: DES-based encryption. This is how passwords are historically stored in /etc/passwd.

  • LANMAN: DES-based encryption. Used sometimes with NTLM mechanism.
  • NTLM: MD4 sum of the password stored in hex. Used with NTLM mechanism.
  • MD5-CRYPT: MD5 crypt. Another format historically used in /etc/passwd.

    • MD5: Deprecated name for MD5-CRYPT. The password isn't really in a standard MD5 format (like PLAIN-MD5 is).
  • PLAIN-MD5: MD5 sum of the password stored in hex.
  • LDAP-MD5: MD5 sum of the password stored in base64.
  • SMD5: Salted MD5 sum of the password stored in base64.
  • CRAM-MD5: Use with CRAM-MD5 mechanism (v1.0.rc16 and later)
    • HMAC-MD5: Deprecated name for CRAM-MD5. The password isn't really in a standard HMAC-MD5 format.
  • DIGEST-MD5: Use with DIGEST-MD5 mechanism. The username is included in the hash, so it's not possible to use the hash for different usernames.
  • RPA: Use with RPA mechanism.
  • SHA: SHA1 sum of the password stored in base64.
  • SSHA: Salted SHA1 sum of the password stored in base64.
  • PLAIN: Password is in plaintext.

Default password scheme can usually be specified for password database. You can override it by prefixing the password with {SCHEME}, for example {PLAIN}password. Note that not all [wiki:PasswordDatabase password databases] support changing the scheme. With some you might cause incompatibilities with other software using it (eg. [wiki:AuthDatabase/Passwd passwd], [wiki:PasswordDatabase/Shadow shadow]) and with others it simply isn't possible at all because of the way they work (eg. [wiki:PasswordDatabase/PAM PAM]).

Dovecot contains a dovecotpw utility which can be used to easily generate passwords for wanted scheme.

For some schemes (eg. PLAIN-MD5, SHA) Dovecot is able to detect if the password hash is base64 or hex encoded, so both can be used. dovecotpw anyway generates the passwords using the encoding mentioned above.

None: Authentication/PasswordSchemes (last edited 2012-04-27 18:36:34 by bugeye)