<div style="font-family: Verdana; font-size: 12px;">Hi, interesting that I was delving into the same problem with the same tools just one mail later :)<br><br>I use SHA encryption in my postgres.<br><div>Your idea was very good, pity you found it's not working...<br><br><br>Did you find alternatives?<br>Gabriele.<br><br></div><tt><br><br><br>----------------------------------------------------------------------------------<br><br>Da: Raymond T. Sundland <raymond@sundland.com><br>A: Dan White <dwhite@olp.net> <br>Cc: info-cyrus@lists.andrew.cmu.edu <br>Data: 25 gennaio 2011 19.52.42 CET<br>Oggetto: Re: SASL w/ Encrypted SQL Password Security (Comment, Suggestion and Possible Solution)<br><br></tt><blockquote style="border-left: 2px solid rgb(0, 0, 128); margin-left: 5px; padding-left: 5px;"><tt>Thanks for the explanation. Though, I would prefer something better<br>than MD5 since it has been broken for years.<br><br>As for my "hack", it doesn't work because I mis-read what %p was,<br>thinking it was the password, not the column to look for... so back to<br>the drawing board. I will look at using something like kerberos, but it<br>seems like an awful lot of work given my installation requirements. I'm<br>up for the challenge, nonetheless.<br><br>Thanks again.<br><br>On 1/25/2011 1:08 PM, Dan White wrote:<br>> On 25/01/11 12:48 -0500, Raymond T. Sundland wrote:<br>>> So given that it's been at least 6 years since it's been common<br>>> security practice to not store cleartext passwords in a database, why<br>>> does SASL still require it?&nbsp; Can't SASL be modified to accept<br>>> some token from the SQL query that basically says, "yes the password<br>>> you gave me matches" ??<br>><br>> SASL provides saslauthd for simple password verification against hashes,<br>> which you could use along with a SQL PAM module to authenticate against<br>> Postgres (sasl_pwcheck_method: saslauthd, with a '-a pam' passed to<br>> saslauthd).<br>><br>> Access to passwords stored in the clear (using an auxprop module) is<br>> really only necessary if you're using shared secret authentication<br>> mechanisms, such as DIGEST-MD5.<br>> With that said, there appears to be a patch within 2.1.24rc1 which would<br>> allow you to store your passwords md5 hashed, and configure<br>> 'sasl_pwcheck_method: auxprop-hashed' to do what you want (but without<br>> shared secret functionality).<br>><br>----<br>Cyrus Home Page: http://www.cyrusimap.org/<br>List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/<br><br><br><br></tt></blockquote></div>