Information about SASL and LDAP

Alexey Melnikov alexey.melnikov at isode.com
Thu Dec 1 13:05:13 EST 2011


On 01/12/2011 07:26, Patrick Ben Koetter wrote:
> * Carson Gaspar<carson at taltos.org>:
>> On 11/30/2011 4:18 PM, Howard Chu wrote:
>>>>> On 30/11/11 11:16 +0100, Christian Roessner wrote:
>>>>>> cmusaslsecretCRAM-MD5
>>>>>> cmusaslsecretDIGEST-MD5 and
>>>>>> cmusaslsecretNTLM
>>>>>>
>>> As I recall these are all plaintext-equivalents; i.e. there is no
>>> security benefit from using these pre-hashed values, so they've been
>>> deprecated already. The plugins will retrieve and use them if they're
>>> present, but nothing creates them.
>> They are _not_ plaintext equivalents. They are realm-limited, so
>> compromise is limited to just the set of services sharing that realm
>> (in many cases a single service). i.e. they don't let me use your
>> password to log in to gmail, or get a shell on your box.
>>
>> The fact that the cyrus folks decided to deprecate these in favor of
> Are they really deprecated? Because if they are its no use to document them
> which is something I am working on.
I would like to deprecate the CRAM-MD5 and the NTLM one, mostly because 
the mechanisms are so weak. But last time I've tried I got objections 
from somebody saying that they have a web application that can generate 
cmusaslsecretCRAM-MD5 and it relies on the CRAM-MD5 plugin being able to 
read it.

For the time being I don't think that cmusaslsecretDIGEST-MD5 should be considered deprecated.




More information about the Cyrus-sasl mailing list