SASL w/ Encrypted SQL Password Security (Comment, Suggestion and Possible Solution)
Dan White
dwhite at olp.net
Tue Jan 25 13:08:25 EST 2011
On 25/01/11 12:48 -0500, Raymond T. Sundland wrote:
> So given that it's been at least 6 years since it's been common
> security practice to not store cleartext passwords in a database, why
> does SASL still require it? Can't SASL be modified to accept
> some token from the SQL query that basically says, "yes the password
> you gave me matches" ??
SASL provides saslauthd for simple password verification against hashes,
which you could use along with a SQL PAM module to authenticate against
Postgres (sasl_pwcheck_method: saslauthd, with a '-a pam' passed to
saslauthd).
Access to passwords stored in the clear (using an auxprop module) is
really only necessary if you're using shared secret authentication
mechanisms, such as DIGEST-MD5.
With that said, there appears to be a patch within 2.1.24rc1 which would
allow you to store your passwords md5 hashed, and configure
'sasl_pwcheck_method: auxprop-hashed' to do what you want (but without
shared secret functionality).
--
Dan White
More information about the Info-cyrus
mailing list