This documentation is for Dovecot v1.x, see wiki2 for v2.x documentation.
Differences between revisions 2 and 8 (spanning 6 versions)
Revision 2 as of 2006-05-13 00:03:06
Size: 2578
Editor: TimoSirainen
Comment:
Revision 8 as of 2007-06-16 08:34:07
Size: 3447
Editor: cp47854-a
Comment: Added SHA256 support
Deletions are marked like this. Additions are marked like this.
Line 5: Line 5:
With non-plaintext [wiki:Authentication/Mechanisms authentication mechanisms] you either have to store the password in a mechanism-specific format (which is incompatible with all other auth mechanisms except plaintext ones), or you'll have to store the passwords as plaintext. Usually you don't have to worry about this if you don't want to, because most clients don't support anything else than plaintext authentication anyway. Encrypting the connection with SSL gives the necessary protection for the passwords. With non-plaintext [wiki:Authentication/Mechanisms authentication mechanisms] you either have to store the password in a mechanism-specific format (which is incompatible with all other auth mechanisms except plaintext ones), or you'll have to store the passwords as plaintext. For example if you're going to use CRAM-MD5 authentication, the password needs to be in plaintext format or in CRAM-MD5 format. If you want to allow both CRAM-MD5 and DIGEST-MD5, the password must be stored in plaintext.
Line 7: Line 7:
With plaintext auth mechanisms it doesn't matter in which format the password is stored locally, because Dovecot will internally encrypt the sent plaintext password to match the storage scheme. With plaintext auth mechanisms it doesn't matter in which format the password is stored locally, because Dovecot will internally encrypt the sent plaintext password to match the storage scheme. Usually people are using only the plaintext authentication mechanism. Encrypting the connection with SSL/TLS gives the necessary protection for the passwords.
Line 18: Line 18:
 * MD5: MD5crypt. Another format historically used in `/etc/passwd`.  * MD5-CRYPT: MD5 crypt. Another format historically used in `/etc/passwd` (v1.0.rc16 and later, for older use MD5)
  * MD5: Deprecated name for MD5-CRYPT. The password isn't really in a standard MD5 format (like PLAIN-MD5 is).
Line 22: Line 23:
 * HMAC-MD5: Use with CRAM-MD5 mechanism.
 * DIGEST-MD5: Use with DIGEST-MD5 mechanism.
 * CRAM-MD5: Use with CRAM-MD5 mechanism (v1.0.rc16 and later, for older use HMAC-MD5)
  * HMAC-MD5: Deprecated name for CRAM-MD5. The password isn't really in a standard HMAC-MD5 format.
 * DIGEST-MD5: Use with DIGEST-MD5 mechanism. The username is included in the hash, so it's not possible to use the hash for different usernames.
Line 28: Line 30:
 * SHA256: SHA256 sum of the password stored in base64. (Only in trunk, will be included in v1.1).
Line 31: Line 34:
Default password scheme can usually be specified for password database. You can override it by prefixing password with {SCHEME}. For example "{PLAIN}password". Note that not all [wiki:PasswordDatabase password databases] support changing the scheme. With some you might cause incompatibilities with other software using it (eg. [wiki:AuthDatabase/Passwd passwd], [wiki:PasswordDatabase/Shadow shadow]) and with others it simply isn't possible at all because of the way they work (eg. [wiki:PasswordDatabase/PAM PAM]). Default password scheme can usually be specified for password database. You can override it by prefixing the password with {SCHEME}, for example `{PLAIN}password`. Note that not all [wiki:PasswordDatabase password databases] support changing the scheme. With some you might cause incompatibilities with other software using it (eg. [wiki:AuthDatabase/Passwd passwd], [wiki:PasswordDatabase/Shadow shadow]) and with others it simply isn't possible at all because of the way they work (eg. [wiki:PasswordDatabase/PAM PAM]).
Line 34: Line 37:

For some schemes (eg. PLAIN-MD5, SHA) Dovecot is able to detect if the password hash is base64 or hex encoded, so both can be used. `dovecotpw` anyway generates the passwords using the encoding mentioned above.

Password Schemes

Passwords can be stored in [wiki:PasswordDatabase password databases] in many different formats. Usually they should be stored encrypted just to make sure that if an attacker gets into your computer he can't easily read everyone's passwords.

With non-plaintext [wiki:Authentication/Mechanisms authentication mechanisms] you either have to store the password in a mechanism-specific format (which is incompatible with all other auth mechanisms except plaintext ones), or you'll have to store the passwords as plaintext. For example if you're going to use CRAM-MD5 authentication, the password needs to be in plaintext format or in CRAM-MD5 format. If you want to allow both CRAM-MD5 and DIGEST-MD5, the password must be stored in plaintext.

With plaintext auth mechanisms it doesn't matter in which format the password is stored locally, because Dovecot will internally encrypt the sent plaintext password to match the storage scheme. Usually people are using only the plaintext authentication mechanism. Encrypting the connection with SSL/TLS gives the necessary protection for the passwords.

Often you already have the passwords in some specific format, so the best idea is to just keep using them. Otherwise just pick one to use, for example SSHA.

Currently supported password schemes are:

  • CRYPT: DES-based encryption. This is how passwords are historically stored in /etc/passwd.

  • LANMAN: DES-based encryption. Used sometimes with NTLM mechanism.
  • NTLM: MD4 sum of the password stored in hex. Used with NTLM mechanism.
  • MD5-CRYPT: MD5 crypt. Another format historically used in /etc/passwd (v1.0.rc16 and later, for older use MD5)

    • MD5: Deprecated name for MD5-CRYPT. The password isn't really in a standard MD5 format (like PLAIN-MD5 is).
  • PLAIN-MD5: MD5 sum of the password stored in hex.
  • LDAP-MD5: MD5 sum of the password stored in base64.
  • SMD5: Salted MD5 sum of the password stored in base64.
  • CRAM-MD5: Use with CRAM-MD5 mechanism (v1.0.rc16 and later, for older use HMAC-MD5)
    • HMAC-MD5: Deprecated name for CRAM-MD5. The password isn't really in a standard HMAC-MD5 format.
  • DIGEST-MD5: Use with DIGEST-MD5 mechanism. The username is included in the hash, so it's not possible to use the hash for different usernames.
  • RPA: Use with RPA mechanism.
  • SHA: SHA1 sum of the password stored in base64.
  • SSHA: Salted SHA1 sum of the password stored in base64.
  • SHA256: SHA256 sum of the password stored in base64. (Only in trunk, will be included in v1.1).
  • PLAIN: Password is in plaintext.

Default password scheme can usually be specified for password database. You can override it by prefixing the password with {SCHEME}, for example {PLAIN}password. Note that not all [wiki:PasswordDatabase password databases] support changing the scheme. With some you might cause incompatibilities with other software using it (eg. [wiki:AuthDatabase/Passwd passwd], [wiki:PasswordDatabase/Shadow shadow]) and with others it simply isn't possible at all because of the way they work (eg. [wiki:PasswordDatabase/PAM PAM]).

Dovecot contains a dovecotpw utility which can be used to easily generate passwords for wanted scheme.

For some schemes (eg. PLAIN-MD5, SHA) Dovecot is able to detect if the password hash is base64 or hex encoded, so both can be used. dovecotpw anyway generates the passwords using the encoding mentioned above.

None: Authentication/PasswordSchemes (last edited 2012-04-27 18:36:34 by bugeye)