Patrick Ben Koetter wrote:
* Carson Gaspar<carson@xxxxxxxxxx>:
On 11/30/2011 4:18 PM, Howard Chu wrote:
On 30/11/11 11:16 +0100, Christian Roessner wrote:
cmusaslsecretCRAM-MD5
cmusaslsecretDIGEST-MD5 and
cmusaslsecretNTLM
As I recall these are all plaintext-equivalents; i.e. there is no
security benefit from using these pre-hashed values, so they've been
deprecated already. The plugins will retrieve and use them if they're
present, but nothing creates them.
They are _not_ plaintext equivalents. They are realm-limited, so
compromise is limited to just the set of services sharing that realm
(in many cases a single service). i.e. they don't let me use your
password to log in to gmail, or get a shell on your box.
The fact that the cyrus folks decided to deprecate these in favor of
Are they really deprecated? Because if they are its no use to document them
which is something I am working on.
Don't just take my word for it, use the source. Read saslpasswd.c for yourself.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
