Information about SASL and LDAP

Carson Gaspar carson at taltos.org
Wed Nov 30 20:22:17 EST 2011


On 11/30/2011 4:18 PM, Howard Chu wrote:
>>> On 30/11/11 11:16 +0100, Christian Roessner wrote:

>>>> cmusaslsecretCRAM-MD5
>>>> cmusaslsecretDIGEST-MD5 and
>>>> cmusaslsecretNTLM

> As I recall these are all plaintext-equivalents; i.e. there is no
> security benefit from using these pre-hashed values, so they've been
> deprecated already. The plugins will retrieve and use them if they're
> present, but nothing creates them.

They are _not_ plaintext equivalents. They are realm-limited, so 
compromise is limited to just the set of services sharing that realm (in 
many cases a single service). i.e. they don't let me use your password 
to log in to gmail, or get a shell on your box.

The fact that the cyrus folks decided to deprecate these in favor of 
storing actual clear text passwords makes me a sad panda. And 
demonstrates a lack of understanding of the security issues involved, or 
a very different cost/benefit analysis than I can imagine.

-- 
Carson


More information about the Cyrus-sasl mailing list