Re: Dovecot + Weakforced Policy server

alberto bersol Wed, 16 Jan 2019 03:20:59 -0800

Sorry,

yes, I did miss the closing quote. Now, It not show auth error already,It shows an Wforced Exception:

Exception in command [report] exception: Unable to convert presentationaddress ''


But, it's no problem of Dovecot, I suppose... ;-)


Thanks


El 16/01/19 a las 11:11, Aki Tuomi escribió:

Did you miss the closing quote from api_header? Also, can you turn on 
auth_debug=yes?

Aki

On 16 January 2019 at 12:05 alberto bersol <albe...@bersol.info> wrote:


Hi Aki,

I've configured in this way:

vm-weakforced:~# printf 'wforce:super' | base64
d2ZvcmNlOnN1cGVy

vm-weakforced:~# cat /etc/dovecot/conf.d/95-policy.conf
auth_policy_server_url = http://localhost:8084/
auth_policy_hash_nonce = some random string
auth_policy_server_api_header = "Authorization: Basic d2ZvcmNlOnN1cGVy

With the same result...

  > WforceWebserver: HTTP Request "/" from 127.0.0.1:39752: Web
Authentication failed
WforceWebserver: HTTP Request "/" from 127.0.0.1:39752: Web
Authentication failed
WforceWebserver: HTTP Request "/" from 127.0.0.1:39752: Web
Authentication failed

I'm not considering some detail

Regards,

El 16/01/19 a las 09:26, Aki Tuomi escribió:

Hi!

You configure it like this:

auth_policy_server_url = http://localhost:8084/
auth_policy_hash_nonce = some random string
auth_policy_server_api_header = "Authorization: Basic 
d2ZvcmNlOkJydHpUNlRuTkZ4UUU="

the authorization blob is basically

printf 'wforce:super' | base64

Aki

On 16 January 2019 at 10:06 alberto bersol <albe...@bersol.info> wrote:


Hi,
I'm trying to set Weakforced with Dovecot and I cannot log in policy
server. This is the config:

/root/weakforced/wforce/wforce.conf
-----------------------------------
...
webserver("0.0.0.0:8084", "super")
...

/etc/dovecot/conf.d/95-policy.conf
----------------------------------
auth_policy_server_url = http://localhost:8084/
#auth_policy_hash_nonce = wforce:super
auth_policy_hash_nonce =
{SHA256-CRYPT}$5$Ue5UrToV.Bam02bQ$Bi9OJ62Mkgc20L2HnLVmD2OCHyXaKje6Hh7qNjnOkB9

I'm following the instructions of Dovecot's wiki:
https://wiki.dovecot.org/Authentication/Policy
...
"To generate the hash, you concatenate nonce, login name, nil byte,
password and run it through the hash algorithm once. The hash is
truncated when truncation is set to non-zero. The hash is truncated by
first choosing bits from MSB to byte boundary (rounding up), then
right-shifting the remainding bits.

hash = H(nonce||user||'\x00'||password)
bytes = round8(bits*8)
hash = HEX(hash[0:bytes] >> (bytes-bits*8))

And I set hash with password (super) in this way:

vm-weakforced:~# doveadm pw -p noncewforce\x00super -s SHA256-CRYPT
{SHA256-CRYPT}$5$ZWIX2dnU7NJvGHgC$hYFbeCCaHYZv0yPP80GHygxQMPmI5BjMx2ttRe9zti2


But if I log in Dovecot Server:

vm-weakforced:~# doveadm auth login usuario
Password:
passdb: usuario auth succeeded
extra fields:
     user=usuario

userdb extra fields:
     usuario
     system_groups_user=usuario
     uid=1000
     gid=1000
     home=/home/usuario

Answer of Weakforced is always "...authentication failed":

WforceWebserver: HTTP Request "/" from 127.0.0.1:39720: Web
Authentication failed

And Dovecot logs don't show anything else:
...
Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: auth client
connected (pid=967)
Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: client in:
AUTH#0111#011PLAIN#011service=doveadm#011resp=dXN1YXJpbwB1c3VhcmlvAHVzdWFyaW8=
(previous base64 data may contain sensitive data)
Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: policy(usuario):
Policy request http://localhost:8084/?command=allow
Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: policy(usuario):
Policy server request JSON:
{"device_id":"","login":"usuario","protocol":"doveadm","pwhash":"0a00","remote":"","tls":false}
Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]:
queue http://localhost:8084: Set request timeout to 2019-01-15
16:50:52.236 (now: 2019-01-15 16:50:50.236)
Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client: peer
127.0.0.1:8084 (shared): Peer created
Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client: peer
127.0.0.1:8084: Peer pool created
Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]: peer
127.0.0.1:8084: Peer created
Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]:
queue http://localhost:8084: Setting up connection to 127.0.0.1:8084 (1
requests pending)
Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]: peer
127.0.0.1:8084: Linked queue http://localhost:8084 (1 queues linked)
Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]:
queue http://localhost:8084: Started new connection to 127.0.0.1:8084
Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]:
request [Req4: POST http://localhost:8084/?command=allow]: Submitted
(requests left=1)
Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]: peer
127.0.0.1:8084: Creating 1 new connections to handle requests (already 0
usable, connecting to 0, closing 0)
Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]: peer
127.0.0.1:8084: Making new connection 1 of 1 (0 connections exist, 0
pending)
Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]: conn
127.0.0.1:8084 [2]: (127.0.0.1:8084): Connecting
Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]: conn
127.0.0.1:8084 [2]: (127.0.0.1:8084): Waiting for connect (fd=20) to
finish for max 0 msecs
Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]: conn
127.0.0.1:8084 [2]: HTTP connection created (1 parallel connections exist)
Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]: conn
127.0.0.1:8084 [2]: (127.0.0.1:8084): Client connected (fd=20)
Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]: conn
127.0.0.1:8084 [2]: Connected
Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]: conn
127.0.0.1:8084 [2]: Ready for requests
Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]: peer
127.0.0.1:8084: Successfully connected (1 connections exist, 0 pending)
Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client: peer
127.0.0.1:8084: Successfully connected (1 connections exist, 0 pending)
Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]: peer
127.0.0.1:8084: Using 1 idle connections to handle 1 requests (1 total
connections ready)
Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]:
queue http://localhost:8084: Connection to peer 127.0.0.1:8084 claimed
request [Req4: POST http://localhost:8084/?command=allow]
Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]: conn
127.0.0.1:8084 [2]: Claimed request [Req4: POST
http://localhost:8084/?command=allow]
Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]:
request [Req4: POST http://localhost:8084/?command=allow]: Sent header
Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]:
request [Req4: POST http://localhost:8084/?command=allow]: Send more
(sent 95, buffered=303)
Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]:
request [Req4: POST http://localhost:8084/?command=allow]: Finished
sending payload
Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]: peer
127.0.0.1:8084: No more requests to service for this peer (1 connections
exist, 0 pending)
Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]: conn
127.0.0.1:8084 [2]: Got 401 response for request [Req4: POST
http://localhost:8084/?command=allow] (took 4 ms + 3 ms in queue)
Jan 15 16:50:50 vm-weakforced dovecot: auth: Error: policy(usuario):
Policy server HTTP error: 401 Unauthorized
Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]: conn
127.0.0.1:8084 [2]: Response payload stream destroyed (0 ms after
initial response)
Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]:
request [Req4: POST http://localhost:8084/?command=allow]: Finished
Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]:
queue http://localhost:8084: Dropping request [Req4: POST
http://localhost:8084/?command=allow]
Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]:
request [Req4: POST http://localhost:8084/?command=allow]: Free
(requests left=1)
Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]: peer
127.0.0.1:8084: No requests to service for this peer (1 connections
exist, 0 pending)
Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]: conn
127.0.0.1:8084 [2]: No more requests queued; going idle (timeout = 10000
msecs)
...

Any idea?

Thank you so much
Regards,

Re: Dovecot + Weakforced Policy server

Reply via email to