Thanks Guys I think it's finally sunk in. DIGEST-MD5 and CRAM-MD5 are mutually exclusive with hashed passwords. D'oh! I think I even posted that fact in answer to a previous thread. On Mon, 2013-03-25 at 21:09 -0400, Adam Tauno Williams wrote: > On Mon, 2013-03-25 at 17:03 -0500, Scott Lambert wrote: > > On Mon, Mar 25, 2013 at 09:32:16PM +0000, Charles Bradshaw wrote: > > > Andy > > > Thanks for the link. If you read on you will see that while PAM allows > > > storage of encrypted passwords in mysql, DIGEST-MD5 and CRAM-MD5 can > > > then NOT be used. That's definitely as step in the wrong direction. > > > I'm coming to the conclusion that I need understand the code well enough > > > to add something to cyrus, but sadly I'm just too old to grok the tangle > > > of C. > > Basically, Digest-MD5 and CRAM-MD5 avoid passing the cleartext > > password across the wire by hashing something with the cleartext > > password. These authentication methods require that the cleartext > > password be known (or at least recoverable) by the server and the > > client. > > Yep, which was pointed out originally. If the cred store is encrypted > it needs to be a two-way crypt [can be decrypted]. So you basically > have a crypted filesystem store anyway. > > > Therefore, the server cannot be using a non-reversible hash of the > > password for its password store. > > You can store cleartext passwords in your password database and > > avoid passing passwords in cleartext across the wire. > > OR > > You can store hashed passwords in your password database and pass > > cleartext passwords over the wire, hopefully inside an SSL/TLS > > connection. > > +1 > > > If you use crypted MD5 hashed passords in your database, you will > > have to disable Digest-MD5 and CRAM-MD5 in your SASL auth mechanisms. > > My system is not running in that configuration so I am not certain > > that you can tell saslauthd to use a mysql database for encrypted > > password storage. > > I use saslauthd to a PostgreSQL database that stores crypted passwords - > but it can only do PLAIN/LOGIN in that configuration, none of the newer > mechs that all the cool kids are using. > > > ---- > Cyrus Home Page: http://www.cyrusimap.org/ > List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ > To Unsubscribe: > https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus ---- Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
