Information about SASL and LDAP

Howard Chu hyc at highlandsun.com
Thu Dec 1 03:13:10 EST 2011


Patrick Ben Koetter wrote:
> * Carson Gaspar<carson at taltos.org>:
>> On 11/30/2011 4:18 PM, Howard Chu wrote:
>>>>> On 30/11/11 11:16 +0100, Christian Roessner wrote:
>>
>>>>>> cmusaslsecretCRAM-MD5
>>>>>> cmusaslsecretDIGEST-MD5 and
>>>>>> cmusaslsecretNTLM
>>
>>> As I recall these are all plaintext-equivalents; i.e. there is no
>>> security benefit from using these pre-hashed values, so they've been
>>> deprecated already. The plugins will retrieve and use them if they're
>>> present, but nothing creates them.
>>
>> They are _not_ plaintext equivalents. They are realm-limited, so
>> compromise is limited to just the set of services sharing that realm
>> (in many cases a single service). i.e. they don't let me use your
>> password to log in to gmail, or get a shell on your box.
>>
>> The fact that the cyrus folks decided to deprecate these in favor of
>
> Are they really deprecated? Because if they are its no use to document them
> which is something I am working on.

Don't just take my word for it, use the source. Read saslpasswd.c for yourself.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/


More information about the Cyrus-sasl mailing list