On Mon, Mar 08, 2021 at 10:41:55AM +0000, Daniel P. Berrangé wrote: > On Fri, Mar 05, 2021 at 08:02:49AM +0100, Erik Skultety wrote: > > On Thu, Mar 04, 2021 at 06:10:11PM +0000, Daniel P. Berrangé wrote: > > > GSSAPI and SCRAM-SHA-256 are the only two SASL mechanisms we > > > especially want people to be using. Even the latter is a little > > > questionable due to storing passwords in cleartext on the server. > > > > At what point of the SCRAM-SHA-256 auth process is password handled as clear > > text? I mean I tried to look up the issue you mention and couldn't find > > anything, quite the contrary, e.g. Postgres says SCRAM-SHA-256 is the only > > recommended scheme for password-based auth and storing passwords in clear text > > is not possible. Isn't it kind of the point that passwords are never stored in > > clear text with this scheme? > > You can clearly see the passwd in clear text in the file > > Add a new user > > $ echo "fish food" | saslpasswd2 -a libvirt demo > > Look for the password: > > $ strings /etc/libvirt/passwd.db | grep fish > fish food > > The actual mechanism protocol does send in clear text over the wire. > The storage in clear text on the server side is simply a choice of the > cyrus-sasl impl of this mechanism documented here: > > https://www.cyrusimap.org/sasl/sasl/faqs/plaintextpasswords.html So if this is the case, why are we even bothering promoting an insecure solution, why not promote only GSSAPI for the reasons given? Backcompat? Erik