On 02/12/2011 10:38, Howard Chu wrote:
Alexey Melnikov wrote:
On 01/12/2011 07:26, Patrick Ben Koetter wrote:
* Carson Gaspar<carson@xxxxxxxxxx>:
On 11/30/2011 4:18 PM, Howard Chu wrote:
On 30/11/11 11:16 +0100, Christian Roessner wrote:
cmusaslsecretCRAM-MD5
cmusaslsecretDIGEST-MD5 and
cmusaslsecretNTLM
As I recall these are all plaintext-equivalents; i.e. there is no
security benefit from using these pre-hashed values, so they've been
deprecated already. The plugins will retrieve and use them if they're
present, but nothing creates them.
They are _not_ plaintext equivalents. They are realm-limited, so
compromise is limited to just the set of services sharing that realm
(in many cases a single service). i.e. they don't let me use your
password to log in to gmail, or get a shell on your box.
The fact that the cyrus folks decided to deprecate these in favor of
Are they really deprecated? Because if they are its no use to
document them
which is something I am working on.
I would like to deprecate the CRAM-MD5 and the NTLM one, mostly because
the mechanisms are so weak. But last time I've tried I got objections
from somebody saying that they have a web application that can generate
cmusaslsecretCRAM-MD5 and it relies on the CRAM-MD5 plugin being able to
read it.
For the time being I don't think that cmusaslsecretDIGEST-MD5 should
be considered deprecated.
The fact remains that the saslpasswd command *deletes* all
cmusaslsecret* values whenever you set a user's password with it, and
has done so for years.
Yes, good point. I haven't used this one for years, I have my own tool ;-).