Re: alternative login names

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Gentelman

Sorry to but into this thread at so late a stage. Indeed SASL does not support
encrypted pass words because it can't!

SASL CRAM-MD5 and DIGEST-MD5 do not transmit the pass word over the link, as a
consequence both the client and the server need knowledge of the clear text.

It is possible to store encrypted passwords in some kind of database provided
that the lookup mechanism is capable doing the de-crypt. Mysql AES is one
possibility.

Both MD5 and SHA are a one way hashing functions! Pass word verification
against either requires knowledge of the clear text!

Charles Bradshaw

On: Mon, 4 Feb 2013 18:44:48 +0100, Marc Paterman wrote:

> Wolfgang
> 
> Wolfgang Rosenauer schrieb (04.02.2013 18:03 Uhr):
> 
> > I played around some more with openldap's SASL and ran exactly into the 
> > issue that SASL seems to explicitely _not_ support CRYPT userPasswords.
> > So yes, keeping saslauthd using PAM would help with that.
> What did you test? (I did not do it myself.)
> Like an ldapsearch with "-Y cram-md5" or "-Y plain" both do not work 
> against an object where userPassword is encrypted with CRYPT?
> And both do work while it is encrypted with like SHA or unencrypted?
> 
> Marc
----
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus


[Index of Archives]     [Cyrus SASL]     [Squirrel Mail]     [Asterisk PBX]     [Video For Linux]     [Photo]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux