From 107c39f1ef3ab61e2a903ba851f8acfc510e7a55 Mon Sep 17 00:00:00 2001 From: andryyy Date: Fri, 20 Nov 2020 22:46:47 +0100 Subject: [PATCH] move webauthn/fido2 --- docs/model-pws.md | 28 ---------------------------- docs/u_e-fido2.md | 15 +++++++++++++++ mkdocs.yml | 2 +- 3 files changed, 16 insertions(+), 29 deletions(-) delete mode 100644 docs/model-pws.md create mode 100644 docs/u_e-fido2.md diff --git a/docs/model-pws.md b/docs/model-pws.md deleted file mode 100644 index 78c935e93..000000000 --- a/docs/model-pws.md +++ /dev/null @@ -1,28 +0,0 @@ -# Fully supported hashing methods - -The most current mailcow fully supports the following hashing methods. -The default hashing method is written in bold: - -- **BLF-CRYPT** -- SSHA256 -- SSHA512 - -The methods above can be used in `mailcow.conf` as `MAILCOW_PASS_SCHEME` value. - -## Read-only hashing methods - -The following methods are supported **read only**. - -- MD5-CRYPT -- PLAIN-MD5 -- SHA512-CRYPT - -That means mailcow is able to verify users with a hash like `{PLAIN-MD5}1a1dc91c907325c69271ddf0c944bc72` from the database. - -The value of `MAILCOW_PASS_SCHEME` will _always_ be used to encrypt new passwords. - ---- - -> I changed the password hashes in the "mailbox" SQL table and cannot login. - -A "view" needs to be updated. You can trigger this by restarting sogo-mailcow: `docker-compose restart sogo-mailcow` diff --git a/docs/u_e-fido2.md b/docs/u_e-fido2.md new file mode 100644 index 000000000..49dc78fb8 --- /dev/null +++ b/docs/u_e-fido2.md @@ -0,0 +1,15 @@ +## How is UV handled in mailcow? + +The UV flag (as in "user verification") enforces WebAuthn to verify the user before it allows access to the key (think of a PIN). We don't enforce UV to allow logins via iOS and NFC (YubiKey). + +## Login and key processing + +mailcow uses **client-side key processing**. We ask the authenticator (i.e. YubiKey) to save the registration in its memory. + +A user does not need to enter a username. The available credentials - if any - will be shown to the user when selecting the "key login" via mailcow UI login. + +When calling the login process, the authenticator is not given any credential IDs. This will force it to lookup credentials in its own memory. + +## Who can use WebAuthn to login to mailcow? + +As of today, only administrators and domain administrators are able to setup WebAuthn/FIDO2. diff --git a/mkdocs.yml b/mkdocs.yml index 39c5483f0..704d0f072 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -44,7 +44,6 @@ nav: - 'ACL': 'model-acl.md' - 'Password hashing': 'model-passwd.md' - 'Sender and receiver model': 'model-sender_rcv.md' - - 'WebAuthn / FIDO2': 'model-fido2.md' - 'Debugging & Troubleshooting': - 'Introduction': debug.md - 'Logs': 'debug-logs.md' @@ -70,6 +69,7 @@ nav: - 'Temporary email aliases': 'u_e-mailcow_ui-spamalias.md' - 'Tagging': 'u_e-mailcow_ui-tagging.md' - 'Two-Factor Authentication': 'u_e-mailcow_ui-tfa.md' + - 'WebAuthn / FIDO2': 'u_e-fido2.md' - 'Postfix': - 'Custom transport maps': 'u_e-postfix-custom_transport.md' - 'Whitelist IP in Postscreen': 'u_e-postfix-postscreen_whitelist.md'