On Mon, Mar 25, 2013 at 09:32:16PM +0000, Charles Bradshaw wrote: > Andy > > Thanks for the link. If you read on you will see that while PAM allows > storage of encrypted passwords in mysql, DIGEST-MD5 and CRAM-MD5 can > then NOT be used. That's definitely as step in the wrong direction. > > I'm coming to the conclusion that I need understand the code well enough > to add something to cyrus, but sadly I'm just too old to grok the tangle > of C. Basically, Digest-MD5 and CRAM-MD5 avoid passing the cleartext password across the wire by hashing something with the cleartext password. These authentication methods require that the cleartext password be known (or at least recoverable) by the server and the client. Therefore, the server cannot be using a non-reversible hash of the password for its password store. You can store cleartext passwords in your password database and avoid passing passwords in cleartext across the wire. OR You can store hashed passwords in your password database and pass cleartext passwords over the wire, hopefully inside an SSL/TLS connection. http://en.wikipedia.org/wiki/Digest_access_authentication http://en.wikipedia.org/wiki/CRAM-MD5 If you use crypted MD5 hashed passords in your database, you will have to disable Digest-MD5 and CRAM-MD5 in your SASL auth mechanisms. My system is not running in that configuration so I am not certain that you can tell saslauthd to use a mysql database for encrypted password storage. -- Scott Lambert KC5MLE Unix SysAdmin lambert@xxxxxxxxxxxxxx ---- Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
