Information about SASL and LDAP
Howard Chu
hyc at highlandsun.com
Thu Dec 1 03:13:10 EST 2011
Patrick Ben Koetter wrote:
> * Carson Gaspar<carson at taltos.org>:
>> On 11/30/2011 4:18 PM, Howard Chu wrote:
>>>>> On 30/11/11 11:16 +0100, Christian Roessner wrote:
>>
>>>>>> cmusaslsecretCRAM-MD5
>>>>>> cmusaslsecretDIGEST-MD5 and
>>>>>> cmusaslsecretNTLM
>>
>>> As I recall these are all plaintext-equivalents; i.e. there is no
>>> security benefit from using these pre-hashed values, so they've been
>>> deprecated already. The plugins will retrieve and use them if they're
>>> present, but nothing creates them.
>>
>> They are _not_ plaintext equivalents. They are realm-limited, so
>> compromise is limited to just the set of services sharing that realm
>> (in many cases a single service). i.e. they don't let me use your
>> password to log in to gmail, or get a shell on your box.
>>
>> The fact that the cyrus folks decided to deprecate these in favor of
>
> Are they really deprecated? Because if they are its no use to document them
> which is something I am working on.
Don't just take my word for it, use the source. Read saslpasswd.c for yourself.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
More information about the Cyrus-sasl
mailing list