On Mon, 2013-03-25 at 17:03 -0500, Scott Lambert wrote: > On Mon, Mar 25, 2013 at 09:32:16PM +0000, Charles Bradshaw wrote: > > Andy > > Thanks for the link. If you read on you will see that while PAM allows > > storage of encrypted passwords in mysql, DIGEST-MD5 and CRAM-MD5 can > > then NOT be used. That's definitely as step in the wrong direction. > > I'm coming to the conclusion that I need understand the code well enough > > to add something to cyrus, but sadly I'm just too old to grok the tangle > > of C. > Basically, Digest-MD5 and CRAM-MD5 avoid passing the cleartext > password across the wire by hashing something with the cleartext > password. These authentication methods require that the cleartext > password be known (or at least recoverable) by the server and the > client. Yep, which was pointed out originally. If the cred store is encrypted it needs to be a two-way crypt [can be decrypted]. So you basically have a crypted filesystem store anyway. > Therefore, the server cannot be using a non-reversible hash of the > password for its password store. > You can store cleartext passwords in your password database and > avoid passing passwords in cleartext across the wire. > OR > You can store hashed passwords in your password database and pass > cleartext passwords over the wire, hopefully inside an SSL/TLS > connection. +1 > If you use crypted MD5 hashed passords in your database, you will > have to disable Digest-MD5 and CRAM-MD5 in your SASL auth mechanisms. > My system is not running in that configuration so I am not certain > that you can tell saslauthd to use a mysql database for encrypted > password storage. I use saslauthd to a PostgreSQL database that stores crypted passwords - but it can only do PLAIN/LOGIN in that configuration, none of the newer mechs that all the cool kids are using. ---- Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
