Re: digest-md5 password store

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Ken Murchison wrote:

> The SASLv1 library used to store a non-plaintext secret for use with 
> DIGEST-MD5.  In fact, it stored separate secrets for each mechanism.  In 
> SASLv2, it was decided to use a single plaintext secret.  Part of this 
> decision was based on the fact that the DIGEST-MD5 secret was tied to 
> the servername/domain, which made the database non-portable.

And I've complained about that decision ever since. I still maintain 
that it was a _terrible_ idea :-(

As someone else said, it is possible to store an interim hash that is 
user and realm specific to avoid storing the plain text password. If you 
want portability, you just have to use the same realm on all servers in 
the same authentication group. _You_ get to choose the scope of validity 
for the stored secret. Sadly with cyrus-sasl v2 the maintainers have 
chosen for you, and they chose "the entire known universe" :-(

-- 
Carson
----
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

[Index of Archives]     [Cyrus SASL]     [Squirrel Mail]     [Asterisk PBX]     [Video For Linux]     [Photo]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux