Information about SASL and LDAP
Howard Chu
hyc at highlandsun.com
Fri Dec 2 05:38:37 EST 2011
Alexey Melnikov wrote:
> On 01/12/2011 07:26, Patrick Ben Koetter wrote:
>> * Carson Gaspar<carson at taltos.org>:
>>> On 11/30/2011 4:18 PM, Howard Chu wrote:
>>>>>> On 30/11/11 11:16 +0100, Christian Roessner wrote:
>>>>>>> cmusaslsecretCRAM-MD5
>>>>>>> cmusaslsecretDIGEST-MD5 and
>>>>>>> cmusaslsecretNTLM
>>>>>>>
>>>> As I recall these are all plaintext-equivalents; i.e. there is no
>>>> security benefit from using these pre-hashed values, so they've been
>>>> deprecated already. The plugins will retrieve and use them if they're
>>>> present, but nothing creates them.
>>> They are _not_ plaintext equivalents. They are realm-limited, so
>>> compromise is limited to just the set of services sharing that realm
>>> (in many cases a single service). i.e. they don't let me use your
>>> password to log in to gmail, or get a shell on your box.
>>>
>>> The fact that the cyrus folks decided to deprecate these in favor of
>> Are they really deprecated? Because if they are its no use to document them
>> which is something I am working on.
> I would like to deprecate the CRAM-MD5 and the NTLM one, mostly because
> the mechanisms are so weak. But last time I've tried I got objections
> from somebody saying that they have a web application that can generate
> cmusaslsecretCRAM-MD5 and it relies on the CRAM-MD5 plugin being able to
> read it.
>
> For the time being I don't think that cmusaslsecretDIGEST-MD5 should be considered deprecated.
The fact remains that the saslpasswd command *deletes* all cmusaslsecret*
values whenever you set a user's password with it, and has done so for years.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
More information about the Cyrus-sasl
mailing list