[Web-cyradm] Someone seen this before ?

Rob Siemborski rjs3 at andrew.cmu.edu
Sat Jul 26 14:51:46 EDT 2003

On Sat, 26 Jul 2003 tom at bryntez.com wrote:

> A question ... why use the auxprop plugin instead of pam ? Is there
> any performance issues involved or what ?
> Thanks for your brilliant piece of software - cyrus-guys .... :-)

PAM only allows you to do password verification, essentially "is xyzzy the
password?" and get a "ok/no" response.  This requires that the
plaintext password traverse the network (possibly under a TLS

Auxprop plugins allow you to use more secure mechanisms, such as CRAM-MD5
or DIGEST-MD5 because you have access to the password directly, instead of
just an ok/no answer.

It also eliminates a few tiers in the authentication hierarchy, compare:

cyrus -> sasl -> saslauthd -> pam -> pam_mysql -> mysql


cyrus -> sasl -> mysql auxprop -> mysql


Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456
Research Systems Programmer * /usr/contributed Gatekeeper

More information about the Info-cyrus mailing list