Clear text password and MySQL

Marko Cuk cuk at cuk.nu
Tue Jun 22 03:11:36 EDT 2004 

Thanks for that. I need clear text passwords, but anyway, it helped me 
much, because there is lot of info how to do that and all informations 
are different...

eg
sasl_mysql_xxx or sasl_
or. sasl_sql_statement vs sasl_sql_select ( ok, for this one I found 
somewhere, that it has changed )...

Marko Cuk



Eric S. Pulley wrote:

> Hi list,
>
> I just thought I share this since I see a lot of people using mysql 
> with clear text passwords.  It's probably obvious to everyone but 
> since I never see anyone talking about it I though I'd share my config 
> for using encrypted password in mysql.  This config makes it so your 
> users can use secure methods of authentication over the Internet and 
> still have there data in an encrypted form in the database.
>
> It's not perfect. An admin that knows the SALT you are using to 
> encrypt the password field can retrieve the decrypted passwords from 
> the db.  But I find this to be an advantage in many cases.
>
> Using mysql 4+ you can encrypt fields with the 
> AES_ENCRYPT("text-to-encrypt","SALT") function.  Just make sure your 
> password field is a blob (binary varchar works too I think).
>
> so your settings in imapd.conf are:
> sasl_pwcheck_method: auxprop
> sasl_sql_engine: mysql
> sasl_sql_user: Yada
> sasl_sql_passwd: Yadayada
> sasl_sql_hostnames: localhost or whatever
> sasl_sql_database: YadaDB
> sasl_sql_statement: SELECT AES_DECRYPT(password_field,"SALT_YADA") 
> FROM users_table WHERE username_field ='%u'
>
> In this scenario you are still passing the SALT in clear text to the 
> db but IMO this is much better than having your users logging in with 
> plaintext passwords over an open network.  Especially if your DB is on 
> the same host as cyrus-imap since you can contain it to a socket and 
> not use a network at all for the DB lookups.
>
> Also your mail server and user accounts are only as secure as the 
> imapd.conf file.  So use at your own risk.
>
> Anyway I hope someone finds this useful.
>
>
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

More information about the Info-cyrus mailing list