Ken Murchison wrote: > The SASLv1 library used to store a non-plaintext secret for use with > DIGEST-MD5. In fact, it stored separate secrets for each mechanism. In > SASLv2, it was decided to use a single plaintext secret. Part of this > decision was based on the fact that the DIGEST-MD5 secret was tied to > the servername/domain, which made the database non-portable. And I've complained about that decision ever since. I still maintain that it was a _terrible_ idea :-( As someone else said, it is possible to store an interim hash that is user and realm specific to avoid storing the plain text password. If you want portability, you just have to use the same realm on all servers in the same authentication group. _You_ get to choose the scope of validity for the stored secret. Sadly with cyrus-sasl v2 the maintainers have chosen for you, and they chose "the entire known universe" :-( -- Carson ---- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
