Crypted SQL passwords

Patrick Ben Koetter p at state-of-mind.de
Mon Jul 16 13:11:08 EDT 2007


* Mike Erdely <mike at erdelynet.com>:
> I'm sorry if this is a FAQ, but I haven't found an answer to this.
> 
> I'd like to use cyrus-sasl with mysql and sendmail to do SMTP_AUTH.  I'd
> like to store my passwords encrypted in my db.  Out of the box,
> cyrus-sasl doesn't seem to support this, but with the patch here:
> http://frost.ath.cx/software/cyrus-sasl-patches/
> Things work as expected.
> 
> FYI: I'm using cyrus-sasl-2.1.21p4-mysql on OpenBSD 4.1.
> 
> Am I missing something?  Is there a reason this functionality is not in
> cyrus-sasl?

If you want to offer/use shared-secret mechanisms, then you have to store the
passwords unencrytped - the way shared-secret mechanisms work, requires this.

This is intended behaviour in Cyrus SASL and that's why the frost patch
doesn't ship with the Cyrus SASL sources.

If you apply the frost patch, Cyrus SASL looses the ability to process
shared-secret mechanisms in combination with MySQL as authentication backend.

The gain over the loss is that you can store the passwords encrypted.

People who want to store and use crypted password in a MySQL DB probably have
an easier life if they just use saslauthd as Cyrus SASL password verification
service and let saslauthd hand the authentication over to PAM (saslauthd -a
pam ...). Then in PAM use the pam_mysql plugin and let it authenticate against
crypted passwords. You get the same, but you don't need to patch Cyrus SASL.

p at rick

-- 
The Book of Postfix
<http://www.postfix-book.com>
saslfinger (debugging SMTP AUTH):
<http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>


More information about the Cyrus-sasl mailing list