Information about SASL and LDAP

Alexey Melnikov alexey.melnikov at isode.com
Fri Dec 2 06:21:03 EST 2011


On 02/12/2011 10:38, Howard Chu wrote:
> Alexey Melnikov wrote:
>> On 01/12/2011 07:26, Patrick Ben Koetter wrote:
>>> * Carson Gaspar<carson at taltos.org>:
>>>> On 11/30/2011 4:18 PM, Howard Chu wrote:
>>>>>>> On 30/11/11 11:16 +0100, Christian Roessner wrote:
>>>>>>>> cmusaslsecretCRAM-MD5
>>>>>>>> cmusaslsecretDIGEST-MD5 and
>>>>>>>> cmusaslsecretNTLM
>>>>>>>>
>>>>> As I recall these are all plaintext-equivalents; i.e. there is no
>>>>> security benefit from using these pre-hashed values, so they've been
>>>>> deprecated already. The plugins will retrieve and use them if they're
>>>>> present, but nothing creates them.
>>>> They are _not_ plaintext equivalents. They are realm-limited, so
>>>> compromise is limited to just the set of services sharing that realm
>>>> (in many cases a single service). i.e. they don't let me use your
>>>> password to log in to gmail, or get a shell on your box.
>>>>
>>>> The fact that the cyrus folks decided to deprecate these in favor of
>>> Are they really deprecated? Because if they are its no use to 
>>> document them
>>> which is something I am working on.
>> I would like to deprecate the CRAM-MD5 and the NTLM one, mostly because
>> the mechanisms are so weak. But last time I've tried I got objections
>> from somebody saying that they have a web application that can generate
>> cmusaslsecretCRAM-MD5 and it relies on the CRAM-MD5 plugin being able to
>> read it.
>>
>> For the time being I don't think that cmusaslsecretDIGEST-MD5 should 
>> be considered deprecated.
>
> The fact remains that the saslpasswd command *deletes* all 
> cmusaslsecret* values whenever you set a user's password with it, and 
> has done so for years.
Yes, good point. I haven't used this one for years, I have my own tool ;-).



More information about the Cyrus-sasl mailing list