Hi, interesting that I was delving into the same problem with the same tools just one mail later :)
I use SHA encryption in my postgres.
----------------------------------------------------------------------------------
Da: Raymond T. Sundland <raymond@xxxxxxxxxxxx>
A: Dan White <dwhite@xxxxxxx>
Cc: info-cyrus@xxxxxxxxxxxxxxxxxxxx
Data: 25 gennaio 2011 19.52.42 CET
Oggetto: Re: SASL w/ Encrypted SQL Password Security (Comment, Suggestion and Possible Solution)
I use SHA encryption in my postgres.
Your idea was very good, pity you found it's not working...
Did you find alternatives?
Gabriele.
Did you find alternatives?
Gabriele.
----------------------------------------------------------------------------------
Da: Raymond T. Sundland <raymond@xxxxxxxxxxxx>
A: Dan White <dwhite@xxxxxxx>
Cc: info-cyrus@xxxxxxxxxxxxxxxxxxxx
Data: 25 gennaio 2011 19.52.42 CET
Oggetto: Re: SASL w/ Encrypted SQL Password Security (Comment, Suggestion and Possible Solution)
Thanks for the explanation. Though, I would prefer something better
than MD5 since it has been broken for years.
As for my "hack", it doesn't work because I mis-read what %p was,
thinking it was the password, not the column to look for... so back to
the drawing board. I will look at using something like kerberos, but it
seems like an awful lot of work given my installation requirements. I'm
up for the challenge, nonetheless.
Thanks again.
On 1/25/2011 1:08 PM, Dan White wrote:
> On 25/01/11 12:48 -0500, Raymond T. Sundland wrote:
>> So given that it's been at least 6 years since it's been common
>> security practice to not store cleartext passwords in a database, why
>> does SASL still require it? Can't SASL be modified to accept
>> some token from the SQL query that basically says, "yes the password
>> you gave me matches" ??
>
> SASL provides saslauthd for simple password verification against hashes,
> which you could use along with a SQL PAM module to authenticate against
> Postgres (sasl_pwcheck_method: saslauthd, with a '-a pam' passed to
> saslauthd).
>
> Access to passwords stored in the clear (using an auxprop module) is
> really only necessary if you're using shared secret authentication
> mechanisms, such as DIGEST-MD5.
> With that said, there appears to be a patch within 2.1.24rc1 which would
> allow you to store your passwords md5 hashed, and configure
> 'sasl_pwcheck_method: auxprop-hashed' to do what you want (but without
> shared secret functionality).
>
----
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
---- Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/