/etc/sasldb export

Benjamin Schmidt schmidi2 at directbox.com
Thu Jun 28 09:11:11 EDT 2007 

Thanks for your answers.

The tools of db4-utils didn't work for me. eg:

$ db4.5_dump -d a sasldb
[042] 3006 len:  21 data: blabla00uranus00CRAM-MD...
        [043] 2973 len:  32 data:
k~0xc10xfb0x150x1b0xde0xe5o/l0x96K0x880xd20x110xb11P0xa8...


The strings-command didn't work either.

$ strings /etc/sasldb


Extracting the usernames, realm and mech is possible. Password not.

It seems that the passwords are encrypted/hashed in some way.

Copied some source-code from "cyrus-sasl-1.5.27" file "checkpw.c"

---
/* we store the following secret to check plaintext passwords:
 *
 * <salt> \0 <secret>
 *
 * where <secret> = MD5(<salt>, "sasldb", <pass>)
 */
static int _sasl_make_plain_secret(const char *salt,
				   const char *passwd, int passlen,
				   sasl_secret_t **secret)
{
    MD5_CTX ctx;
    unsigned sec_len = 16 + 1 + 16; /* salt + "\0" + hash */

    *secret = (sasl_secret_t *) sasl_ALLOC(sizeof(sasl_secret_t) +
					   sec_len * sizeof(char));
    if (*secret == NULL) {
	return SASL_NOMEM;
    }

    MD5Init(&ctx);
    MD5Update(&ctx, salt, 16);
    MD5Update(&ctx, "sasldb", 6);
    MD5Update(&ctx, passwd, passlen);
    memcpy((*secret)->data, salt, 16);
    memcpy((*secret)->data + 16, "\0", 1);
    MD5Final((*secret)->data + 17, &ctx);
    (*secret)->len = sec_len;

    return SASL_OK;
}
---

=MD5

Means, it's impossible to export the passwords as cleartext!



So I must find a way of using these md5-hashed passwords or distribute
new passwords.


Thanks for your help,
Benjamin Schmidt


Scott M. Likens wrote:
> You should be able to run strings on it.
> 
> (e.g.) strings /etc/sasldb
> 
> There is no encryption in place, so you just need to gather the
> plaintext usernames and passwords, and then INSERT them into mysql and
> you're golden :)
> 
> Scott
> 
> On Wed, 06 Jun 2007 11:23:21
> "Benjamin Schmidt" <schmidi2 at directbox.com> wrote:
> 
>> Hello
>>
>> I like to import all old sasl user with passwords to a new system.
>>
>> Current storage: /etc/sasldb    (Berkeley DB (Hash, version 7, native
>> byte-order))
>>
>> New storage: mysql table
>>
>> Does anyone known an existing tool of exporting all sasl users with
>> password from the berkeley db? Google didn't reponse my useable
>> results.
>>
>> Is it impossible to export the passwords (are they hash-encrypted)?
>>
>> Thanks in advance,
>> Benjamin Schmidt
>>
>>
>>
>> !DSPAM:4666b44973451110213369!
>>
>>
> 
>

More information about the Cyrus-sasl mailing list