[Dovecot] auth_debug_passwords
Hi. I'm new to Dovecot and about to start using it in production. In the config file, I set the option, auth_debug_passwords, to yes. I do not see any failed passwords logged, however. It did cause more verbose authentication logging, but failed passwords are still hidden.
I have also set these options to yes, because I thought they might be required for auth_debug_passwords to work:
auth_verbose = yes auth_debug = yes
Here's an example of what I see with a failed login:
Feb 3 17:03:36 ebi5 dovecot: auth-worker(default): pam(jkd,some IP): lookup service=dovecot Feb 3 17:03:36 ebi5 dovecot: auth-worker(default): pam(jkd,some IP): #1/1 style=1 msg=Password: Feb 3 17:03:36 ebi5 dovecot: auth-worker(default): pam(jkd,some IP): pam_authenticate() failed: authentication error (password mismatch?) Feb 3 17:03:38 ebi5 dovecot: auth(default): client out: FAIL 1 user=jkd Feb 3 17:03:38 ebi5 dovecot: pop3-login: Aborted login (auth failed, 1 attempts): user=<jkd>, method=PLAIN, rip=some IP, lip=some IP
-------Version and config below----------
host:/var/log# dovecot --version 1.1.8
host:/var/log# dovecot -n
1.1.8: /usr/local/etc/dovecot.conf
OS: FreeBSD 7.1-RELEASE-p2 i386
base_dir: /var/run/dovecot/ protocols: imap imaps pop3 pop3s ssl_cert_file: /etc/mail/certs/mail.ourdomain.com.pem ssl_key_file: /etc/mail/certs/mail.ourdomain.com.pem ssl_cipher_list: ALL:!LOW:!SSLv2 disable_plaintext_auth: no login_dir: /var/run/dovecot/login login_executable(default): /usr/local/libexec/dovecot/imap-login login_executable(imap): /usr/local/libexec/dovecot/imap-login login_executable(pop3): /usr/local/libexec/dovecot/pop3-login login_greeting_capability(default): yes login_greeting_capability(imap): yes login_greeting_capability(pop3): no verbose_proctitle: yes first_valid_uid: 1000 first_valid_gid: 100 mail_privileged_group: mail mail_location: mbox:~/:INBOX=/var/mail/%u:INDEX=/var/dovecot/%u mail_full_filesystem_access: yes mmap_disable: yes mail_nfs_storage: yes mail_nfs_index: yes lock_method: dotlock mbox_lock_timeout: 120 dbox_rotate_days: 0 mail_executable(default): /usr/local/libexec/dovecot/imap mail_executable(imap): /usr/local/libexec/dovecot/imap mail_executable(pop3): /usr/local/libexec/dovecot/pop3 mail_plugin_dir(default): /usr/local/lib/dovecot/imap mail_plugin_dir(imap): /usr/local/lib/dovecot/imap mail_plugin_dir(pop3): /usr/local/lib/dovecot/pop3 imap_client_workarounds(default): delay-newmail netscape-eoh tb-extra-mailbox-sep imap_client_workarounds(imap): delay-newmail netscape-eoh tb-extra-mailbox-sep imap_client_workarounds(pop3): pop3_reuse_xuidl(default): no pop3_reuse_xuidl(imap): no pop3_reuse_xuidl(pop3): yes pop3_client_workarounds(default): pop3_client_workarounds(imap): pop3_client_workarounds(pop3): outlook-no-nuls oe-ns-eoh auth default: mechanisms: plain login username_format: %Lu winbind_helper_path: /usr/local/bin/ntlm_auth verbose: yes debug: yes debug_passwords: yes passdb: driver: pam args: session=yes dovecot userdb: driver: passwd args: blocking=yes socket: type: listen client: path: /var/run/dovecot/auth-client mode: 432 master: path: /var/run/dovecot/auth-master mode: 384 host:/var/log#
Thanks for any light you could shine on this problem.
Josh
-- Josh Gentry help@swcp.com * jgentry@swcp.com * 505-232-7992 Customer service in the 21st century.
Josh Gentry wrote:
Hi. I'm new to Dovecot and about to start using it in production. In the config file, I set the option, auth_debug_passwords, to yes. I do not see any failed passwords logged, however. It did cause more verbose authentication logging, but failed passwords are still hidden.
That option is not for logging passwords, but to ease problem investigation in case something is not working as it should.
There might be a way to log password attempts, but it's not a good idea from the point of view of security, so I'm glad it's not so easy to have them logged.
Remember that a failed password might be someone using a dictionary attack, but can be an user that simply mistyped one character in his password. But even in the first case, what good would it do to know what words an attacker is using?
-- Q: Why does Washington have the most lawyers per capita and New Jersey the most toxic waste dumps? A: God gave New Jersey first choice.
Eduardo M KALINOWSKI eduardo@kalinowski.com.br http://move.to/hpkb
On Wed, Feb 04, 2009 at 08:52:10AM -0200, Eduardo M KALINOWSKI wrote:
Josh Gentry wrote:
Hi. I'm new to Dovecot and about to start using it in production. In the config file, I set the option, auth_debug_passwords, to yes. I do not see any failed passwords logged, however. It did cause more verbose authentication logging, but failed passwords are still hidden.
That option is not for logging passwords, but to ease problem investigation in case something is not working as it should.
Well, its both, right. It's for logging the incorrect password when authentication fails. We are an ISP, we do a LOT of email, and password problems are major tech support load. Being able to tell the customer that, yes, they have their caps lock on cause I can see they are sending the password in all caps, would be a big help. We do the same thing with RADIUS logging, and its very useful.
Thanks,
Josh
-- Josh Gentry help@swcp.com * jgentry@swcp.com * 505-232-7992 Customer service in the 21st century.
On Wed, 2009-02-04 at 08:52 -0200, Eduardo M KALINOWSKI wrote:
Josh Gentry wrote:
Hi. I'm new to Dovecot and about to start using it in production. In the config file, I set the option, auth_debug_passwords, to yes. I do not see any failed passwords logged, however. It did cause more verbose authentication logging, but failed passwords are still hidden.
That option is not for logging passwords, but to ease problem investigation in case something is not working as it should.
Well, yes, but it's about investigating why logins are failing due to password mismatches, so logging the password in that case is useful. It was already done with pretty much all passdbs except PAM.
On Tue, 2009-02-03 at 17:33 -0700, Josh Gentry wrote:
I have also set these options to yes, because I thought they might be required for auth_debug_passwords to work: .. pam(jkd,some IP): pam_authenticate() failed: authentication error (password mismatch?)
Hmm. Here you go: http://hg.dovecot.org/dovecot-1.1/rev/11112baa8592
Thanks!
Josh
On Wed, Feb 04, 2009 at 12:24:48PM -0500, Timo Sirainen wrote:
On Tue, 2009-02-03 at 17:33 -0700, Josh Gentry wrote:
I have also set these options to yes, because I thought they might be required for auth_debug_passwords to work: .. pam(jkd,some IP): pam_authenticate() failed: authentication error (password mismatch?)
Hmm. Here you go: http://hg.dovecot.org/dovecot-1.1/rev/11112baa8592
-- Josh Gentry help@swcp.com * jgentry@swcp.com * 505-232-7992 Customer service in the 21st century.
participants (3)
-
Eduardo M KALINOWSKI
-
Josh Gentry
-
Timo Sirainen