digest-md5 password store

Alain Spineux aspineux at gmail.com
Thu Dec 6 10:12:19 EST 2007 

On Dec 5, 2007 9:42 PM, Guillermo Gómez <guillermo.gomez at gmail.com> wrote:
> > pam_mysql would correlate to saslauthd, and the cyrus sasl plugin
> > would correlate to auxprop.
> >
> > See documentation on the SASL pwcheck_method setting
> > (sasl_pwcheck_method in /etc/imapd.conf).
> >
> > When set to saslauthd, the pwcheck_method will allow the use of
> > the PLAIN and LOGIN mechanisms, and will pass the username and
> > password from the client on to PAM. PAM can internally hash the
> > password and compare it against an already md5/crypted password.
> >
> > When set to auxprop, SASL will retrieve the cleartext password
> > and use it to compare (in the case of PLAIN and LOGIN), or to use
> > in multi-step negotiation of other mechanisms, such as DIGEST-MD5.
> >
> > The auxprop plugin gives you the ability to authenticate using
> > the PLAIN, LOGIN, DIGEST-MD5, CRAM-MD5, NTLM and OTP mechs (and
> > probably more).
> >
> > saslauthd only gives you the ability to authenticate using PLAIN
> > and LOGIN (I believe), which may or may not be sufficient for you.
> >
> > - Dan
> >
>
> Thanks Dan, im reading and trying to digest all the material available.
>
> What the customer wants is:
>
> 1.- md5-digest between imap client/server (squirrelmail/cyrus-imapd)
> 2.- md5 encrypted passwords stored in mysql db (cyrus-imap-??)


encryption <> md5 hashing !
You can decrypt, you cannot unhash !
md5 encrypted has no meaning for me!

The questions are :
1. If someone stole the "secured information" (aka the password)
stored on your server, can he use it to authenticate to your server!
This what md5 try to avoid
2. If someone sniff the authentication process, can it guess the password ?
This what md5-digest try to avoid.

If you want both security, you need to encrypt your authentication
process and store password hash.

>
> Is this combination possible?
>
> Guillermo
>
>
>
>
> --
> Ing.Guillermo Gomez S.
> http://fedora.gomix.org
>



-- 
Alain Spineux
aspineux gmail com
May the sources be with you

More information about the Info-cyrus mailing list