MD5-encrypted passwords in a SASL-SQL-database

Greg A. Woods woods-cyrus at weird.com
Fri Aug 11 12:41:55 EDT 2006


Haakon wrote:
>
> > We're about to migrate a server from Courier-IMAP to Cyrus-IMAP. The
> > Courier-server autheticates via authdaemond to a MySQL-server, and the
> > passwords in the MySQL-server are MD5-encrypted.
> >
> > I can not get authentication to work with Cyrus and SASL (with the SQL
> > auxprop-plugin) with the encrypted passwords, only when the passwords
> > are in plaintext. The question is, is there something I've not
> > understood in how to configure Cyrus/SASL, or does the SQL
> > auxprop-plugin require all the passwords to be in plaintext?
> >
> > If it is not possible to have MD5-encrypted passwords, does anone have
> > any suggestions what we could do instead? Authenticate against Courier's
> > authdaemond, perhaps?

If your operating system supports MD5 encryption of the system account
passwords (as the *BSDs all do) then you could always just use system
accounts (and thus just use the built-in "saslauthd -a getpwent"
mechanism).  If you have lots of accounts then you'll want to automate
the system account management of course, but that's not hard to do with
a small script in any language that will do SQL queries against your
database.

I currently do that with DES-encrypted passwords stored in PostgreSQL
using a little Python script to manage /etc/master.passwd et al.  Right
now it runs from cron every half hour, but with a slightly better
database design one could use SQL triggers to push changes to a little
daemon that did smarter updates in near real time.

I for one would never ever even consider using any system that required
me to store any authentication key in clear text!

-- 
						Greg A. Woods

H:+1 416 218-0098 W:+1 416 489-5852 x122 VE3TCP RoboHack <woods at robohack.ca>
Planix, Inc. <woods at planix.com>       Secrets of the Weird <woods at weird.com>


More information about the Info-cyrus mailing list