Re: can i build a sasl module with support for encrypted passwords?

rupert <rupertt@xxxxxxxxx> · Wed, 23 Jan 2008 11:38:25 +0100

now im up to pam, how can I change the querythat pam does on the DB?
I have a multidomain setup and the username is the email address (test.test.local), but pam cuts of the @test.local in the query

thx again

On Jan 23, 2008 9:23 AM, rupert <rupertt@xxxxxxxxx> wrote:

On Jan 22, 2008 9:05 PM, Rupert <rupertt@xxxxxxxxx> wrote:

Dan White schrieb:
> rupert wrote:
>> Hi,
>> i have my murder cluster running, with passwords stored in a mysql DB.
>> The only thing that bugs me now is that the passwords are stored in

>> plaintext inside the DB.
>> I am using fedora8 and will switch to CentOS once everything runs fine.
>> Can i build a rpm module for sasl that exist beside the packages that
>> are in

>> the repositries?
>>
>> like cyrus-sasl-md5.i386, cyrus-sasl-plain.i386, cyrus-sasl-devel.i386,
>> cyrus-sasl-md5.i386 ...
>>
>> I tried to compile cyrus-sasl.2.19 with the pwcheck patch, but it just

>> messed everythign up.
>>
>> Any other solutions? And why is such a important thing not standard?
>
> Hi Rupert,
>
> I think the MySQL PAM plugin is one possible way to support hashed

> passwords. You would need to disable all mechanisms which depend on
> the auxprop plugin and depend on a clear text password (such as
> DIGEST-MD5).
>
> You'll need to configure your pwcheck_method to include saslauthd, and

> then configure saslauthd to use PAM to authenticate.
>
> I'm not familiar with the pwcheck patch, but it shouldn't be required
> in this scenario.
>
> - Dan
I tried some more times to compile the latest cyrus-sasl with the

patch(read somewhere the .18 also works on the latest sasl) on my fedora
box.
I always get some error while compiling that it cant find mysql.h or
mysqlclient.
I compile it with enable-sql and --with-mysql=/usr/lib/mysql

--with-mysql=/usr/include/mysql
which is where all the files are located it is complaining about. I also
have /usr/lib/mysql in ld.so.conf
Can there be anything else wrong?

thx

ok , i got back to the .19 version and compiled that one.
When I now login the syslog says no worthy mechs found and the maillog a
"frontend imap[2864]: badlogin: frontend [192.168.247.128] plaintext joe@xxxxxxxxxx SASL(-13): authentication failure: checkpass failed"

mysql is working because I can see the query in the mysql.log.

thx

----
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html