Sendmail, saslauthd, AUTH DIGEST-MD5 and /etc/shadow ?

Dan White dwhite at olp.net
Sat Jan 12 11:28:30 EST 2013


On 01/12/13 11:16 +0000, Charles Bradshaw wrote:
>Following Sebastians reply I'm more confused than ever.
>
>The way I read the manual (here:
>http://www.sendmail.org/~ca/email/cyrus2/sysadmin.html) to use sasldb I have
>to change pwcheck_method=shadow to pwcheck_method=auxprop in
>/usr/lib/sasl2/Sendmail.conf

saslauthd cannot be used to perform digest-md5 authentication. You'll need
to use an auxprop plugin (sasldb, ldapdb, sql) to authenticate shared
secret mechanisms.

>If so, then presumably I have to change MECH=shadow in
>/etc/sysconfig/saslauthd, but what to ?
>"saslauthd -v" returns: authentication mechanisms: getpwent kerberos5 pam
>rimap shadow ldap httpform.
>
>There is no mention of sasldb in the above return. The installed default was
>MECH=pam, which I changed to get where I am.
>
>I need to get DIGEST-MD5 working while keeping PLAIN which already works:

You can continue to use saslauthd for PLAIN authentication (via the
pwcheck_method configuration). DIGEST-MD5 will use your configured
auxprop_plugin configuration.

See:

http://www.cyrussasl.org/docs/cyrus-sasl/2.1.25/components.php

>Assuming Sebstians assertion is correct, can I just duplicate authorization
>and/or authentication data in sasldb2 ?

Duplicate to another server? ldap or sql makes on sense in that scenario.

>If I have to change pwcheck_method (as above) what about the MECH parameter in
>/etc/sysconfig/saslauthd ?

If you configure an auxprop plugin, then you'd probably want to do
'pwcheck_method: auxprop' and drop saslauthd altogether.

>
>Can I just specify MECH=pam ?
>
>Thanks for your patience.
>
>> Previous reply:
>>
>>Sebastian, thanks for the prompt reply.
>>
>>What do you mean 'original', the password for realuser or smmsp or both ?
>>
>>> Re: Sendmail, saslauthd, AUTH DIGEST-MD5 and /etc/shadow ?
>>>
>>> You'll have to use sasldb if you want to use DIGEST-MD5. Challenge-response
>>> only works when both sides know the original password.
>>
>>Charles Bradshaw
>

-- 
Dan White


More information about the Cyrus-sasl mailing list