checkpw.c crypt patch
David van Geest
davidv at spindance.com
Tue Jul 21 14:44:34 EDT 2009
Patrick Ben Koetter wrote:
> * David van Geest <davidv at spindance.com>:
>
>> Hi All,
>>
>> I'm working on getting Postfix to authenticate SMTP users from a MySQL
>> DB which stores encrypted passwords. Various how-to's recommend
>> cyrus-sasl, but it seems that to use it for encrypted passwords you need
>> the checkpw.c+sql.c patch. The only version of this patch I can find
>> (http://pieps.org/cyrus/dist/2.1.19/) is for cyrus-sasl-2.1.19. Has the
>> patch been merged into later versions of cyrus-sasl, or do I need to use
>> 2.1.19?
>>
>
> The/any patch breaks shared-secret mechanisms, which require plaintext
> passwords.
>
>
>> Also if anyone has pointers on getting this going, I'd be happy to hear
>> them.
>>
>
> No need to patch.
>
> Use saslauthd -> PAM -> pam:mysql -> MySQL(crypted passwords)
>
> p at rick
>
Thanks Patrick! I'm attempting what you suggest using pam:mysql. My
/etc/pam.d/smtp.postfix looks like this:
auth optional pam_mysql.so user=<mysql_username>
passwd=<mysql_pw> host=host.domain db=<db_name> table=<user_table>
usercolumn=<user_column> passwdcolumn=<user_pass_column> crypt=1
account required pam_mysql.so user=<mysql_username>
passwd=<mysql_pw> host=host.domain db=<db_name> table=<user_table>
usercolumn=<user_column> passwdcolumn=<user_pass_column> crypt=1
A follow-up question: how does this work when using a salt? The DB
admin wants to store the password hash and password salt in separate
columns in MySQL, so it seems like I would need to add another option in
the above lines to specify the salt column, so the salt value can be
used with crypt().
-David
<http://www.spindance.com>
More information about the Cyrus-sasl
mailing list