On 03/24/2014 07:34 AM, Jürgen Ladstätter wrote:
Hi guys,
we use dovecot 2.0.9 and authentication against a mysql database. Everything
works fine, but we found some weird behavior – when the password is e.g.
“testpass” you also authenticate successfully with “testpass123” or
“testpassNOT”. Whatever comes after the correct password doesn’t matter, the
authentication is still successful.
..
default_pass_scheme = CRYPT
http://wiki2.dovecot.org/Authentication/PasswordSchemes --
CRYPT: Traditional DES-crypted password in /etc/passwd (e.g. "pass" =
vpvKh.SaNbR6s)
Dovecot uses libc's crypt() function, which means that CRYPT is usually
able to recognize MD5-CRYPT and possibly also other password schemes.
See all of the *-CRYPT schemes at the top of this page.
>>>>>>>
*The traditional DES-crypt scheme only uses the first 8 characters of
the password, the rest are ignored.* Other schemes may have other
password length limitations (if they limit the password length at all).
