SASL authentication failures with SQL

Fabian Fagerholm fabbe at paniq.net
Sat Nov 18 15:32:10 EST 2006


[Please don't cc me on list posts, I'm subscribed.]

On Sat, 2006-11-18 at 13:26 -0500, Jason Dixon wrote:
> That was my thought as well.  If this is the case, then how does  
> dovecot-sasl authenticate successfully?

It's probably because of an architectural difference. If I'm not
mistaken, Cyrus SASL uses the auxprop plugins only to fetch the
clear-text password that matches the given username, and then does the
actual authentication (converting passwords to the proper format and
making the comparison) in the library, while Dovecot SASL seems to hand
over the user-supplied username+password combination (possibly doing
conversion or hashing on the way) to the database driver, which asks the
database to make the comparison.

The Dovecot wiki [0] says:

        Default password scheme can usually be specified for password
        database. You can override it by prefixing the password with
        {SCHEME}, for example {PLAIN}password. Note that not all
        password databases support changing the scheme. With some you
        might cause incompatibilities with other software using it (eg.
        passwd, shadow) and with others it simply isn't possible at all
        because of the way they work (eg. PAM).

Note the part about changing the password scheme. If you choose, say,
MD5 as the storage format, then only the MD5 hash of the password is
stored. The plaintext password is not stored. This means that
authentication mechanisms that need access to the plaintext password
(for example, CRAM-MD5) can't be used.

[0] http://wiki.dovecot.org/Authentication/PasswordSchemes

The Cyrus SASL architecture prevents you from storing non-plaintext
passwords when using an auxprop plugin, but in return you can use any
authentication mechanism you like, and switch if you want to. With
Dovecot SASL, you have to make a choice when configuring your system:
either store plaintext passwords and get access to all mechanisms, or
store them encrypted/hashed and limit your mechanism options.

I don't have much experience with Dovecot SASL, but this is what I can
extract from the docs and wiki. I hope it answers your question. :)

Cheers,
-- 
Fabian Fagerholm <fabbe at paniq.net>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : https://lists.andrew.cmu.edu/mailman/private/cyrus-sasl/attachments/20061118/2e715595/attachment.bin


More information about the Cyrus-sasl mailing list