On 15/12/2023 18:56, Max Nikulin wrote:
On 14/12/2023 18:01, Aki Tuomi via dovecot wrote:
You can set service auth and service auth-worker vsz_limit to 2G, that
is usually enough for PAM and Argon2.
Thank you. In my first message I wrote that 1G was enough in my case.
Actually 1G sometimes is not enough. Thunderbird with its multiple
parallel connections created simultaneously may be quite successful in
making authentication failures rather annoying.
I have not seen failure with "vsz_limit = 2G" yet.
It appears just like incorrect passwords in logs mixed with successful
authentications.
12:33:23 dovecot[4299]: auth-worker(4449): Debug: conn unix:auth-worker (pid=4307,uid=114):
auth-worker<1>: pam(test,127.0.0.1,<JPhaBWMN8Jp/AAAB>): #1/1 style=1
msg=Password:
12:33:23 auth[4449]: pam_unix(dovecot:auth): authentication failure; logname=
uid=0 euid=0 tty=dovecot ruser=test rhost=127.0.0.1 user=test
12:33:24 dovecot[4299]: auth-worker(4449): conn unix:auth-worker (pid=4307,uid=114):
auth-worker<1>: pam(test,127.0.0.1,<JPhaBWMN8Jp/AAAB>): pam_authenticate()
failed: Authentication failure (Password mismatch?)
Earlier I believed that I know another (inconvenient) workaround: edit
/etc/pam.d/dovecot to put content of common-auth and common-session
literally and disabling pam_fscrypt.so specifically for dovecot.
Unfortunately it does not work. Auth worker still loads pam_fscrypt.so
from common-password through some other config file. Even if debug is
enabled for pam_fscrypt.so, this library generates no output for both
successful and failed authentication attempts. On the other hand I can
get debug output from "auth optional pam_fscrypt.so debug".
I have no idea what piece of code (Go runtime, Dovecot,
https://github.com/google/fscrypt) causes silent errors leading to
authentication failures. It is disappointing since Go+fscrypt should be
no-op in this case.
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
