# In case of password mismatches, log the attempted password. Valid values are
# no, plain and sha1. sha1 can be useful for detecting brute force password
# attempts vs. user simply trying the same password over and over again.
+# You can also truncate the value to n chars by appending ":n" (e.g. sha1:6).
#auth_verbose_passwords = no
# Even more verbose logging for debugging purposes. Shows for example SQL
static void
auth_request_append_password(struct auth_request *request, string_t *str)
{
- const char *log_type = request->set->verbose_passwords;
+ const char *p, *log_type = request->set->verbose_passwords;
+ unsigned int max_len = UINT_MAX;
+
+ p = strchr(log_type, ':');
+ if (p != NULL) {
+ if (str_to_uint(p+1, &max_len) < 0)
+ i_unreached();
+ log_type = t_strdup_until(log_type, p);
+ }
if (strcmp(log_type, "plain") == 0) {
str_printfa(str, "(given password: %s)",
- request->mech_password);
+ t_strndup(request->mech_password, max_len));
} else if (strcmp(log_type, "sha1") == 0) {
unsigned char sha1[SHA1_RESULTLEN];
sha1_get_digest(request->mech_password,
strlen(request->mech_password), sha1);
str_printfa(str, "(SHA1 of given password: %s)",
- binary_to_hex(sha1, sizeof(sha1)));
+ t_strndup(binary_to_hex(sha1, sizeof(sha1)),
+ max_len));
} else {
i_unreached();
}
DEF(SET_BOOL, verbose),
DEF(SET_BOOL, debug),
DEF(SET_BOOL, debug_passwords),
- DEF(SET_ENUM, verbose_passwords),
+ DEF(SET_STR, verbose_passwords),
DEF(SET_BOOL, ssl_require_client_cert),
DEF(SET_BOOL, ssl_username_from_cert),
DEF(SET_BOOL, use_winbind),
.verbose = FALSE,
.debug = FALSE,
.debug_passwords = FALSE,
- .verbose_passwords = "no:plain:sha1",
+ .verbose_passwords = "no",
.ssl_require_client_cert = FALSE,
.ssl_username_from_cert = FALSE,
.use_winbind = FALSE,
return TRUE;
}
+static bool
+auth_verify_verbose_password(const struct auth_settings *set,
+ const char **error_r)
+{
+ const char *p, *value = set->verbose_passwords;
+ unsigned int num;
+
+ p = strchr(value, ':');
+ if (p != NULL) {
+ if (str_to_uint(p+1, &num) < 0 || num == 0) {
+ *error_r = t_strdup_printf("auth_verbose_passwords: "
+ "Invalid truncation number: '%s'", p+1);
+ return FALSE;
+ }
+ value = t_strdup_until(value, p);
+ }
+ if (strcmp(value, "no") == 0)
+ return TRUE;
+ else if (strcmp(value, "plain") == 0)
+ return TRUE;
+ else if (strcmp(value, "sha1") == 0)
+ return TRUE;
+ else
+ return FALSE;
+}
+
static bool auth_settings_check(void *_set, pool_t pool,
const char **error_r)
{
return FALSE;
}
+ if (!auth_verify_verbose_password(set, error_r))
+ return FALSE;
+
if (*set->username_chars == '\0') {
/* all chars are allowed */
memset(set->username_chars_map, 1,
projects / thirdparty / dovecot / core.git / commitdiff
