digest-md5 password store

Ken Murchison murch at andrew.cmu.edu
Thu Dec 6 17:17:49 EST 2007

Guillermo Gómez wrote:
>> pam_mysql would correlate to saslauthd, and the cyrus sasl plugin
>> would correlate to auxprop.
>> See documentation on the SASL pwcheck_method setting
>> (sasl_pwcheck_method in /etc/imapd.conf).
>> When set to saslauthd, the pwcheck_method will allow the use of
>> the PLAIN and LOGIN mechanisms, and will pass the username and
>> password from the client on to PAM. PAM can internally hash the
>> password and compare it against an already md5/crypted password.
>> When set to auxprop, SASL will retrieve the cleartext password
>> and use it to compare (in the case of PLAIN and LOGIN), or to use
>> in multi-step negotiation of other mechanisms, such as DIGEST-MD5.
>> The auxprop plugin gives you the ability to authenticate using
>> the PLAIN, LOGIN, DIGEST-MD5, CRAM-MD5, NTLM and OTP mechs (and
>> probably more).
>> saslauthd only gives you the ability to authenticate using PLAIN
>> and LOGIN (I believe), which may or may not be sufficient for you.
>> - Dan
> Thanks Dan, im reading and trying to digest all the material available.
> What the customer wants is:
> 1.- md5-digest between imap client/server (squirrelmail/cyrus-imapd)
> 2.- md5 encrypted passwords stored in mysql db (cyrus-imap-??)
> Is this combination possible?

The SASLv1 library used to store a non-plaintext secret for use with 
DIGEST-MD5.  In fact, it stored separate secrets for each mechanism.  In 
SASLv2, it was decided to use a single plaintext secret.  Part of this 
decision was based on the fact that the DIGEST-MD5 secret was tied to 
the servername/domain, which made the database non-portable.

Kenneth Murchison
Systems Programmer
Project Cyrus Developer/Maintainer
Carnegie Mellon University

More information about the Info-cyrus mailing list