digest-md5 password store
Ken Murchison
murch at andrew.cmu.edu
Thu Dec 6 17:17:49 EST 2007
Guillermo Gómez wrote:
>> pam_mysql would correlate to saslauthd, and the cyrus sasl plugin
>> would correlate to auxprop.
>>
>> See documentation on the SASL pwcheck_method setting
>> (sasl_pwcheck_method in /etc/imapd.conf).
>>
>> When set to saslauthd, the pwcheck_method will allow the use of
>> the PLAIN and LOGIN mechanisms, and will pass the username and
>> password from the client on to PAM. PAM can internally hash the
>> password and compare it against an already md5/crypted password.
>>
>> When set to auxprop, SASL will retrieve the cleartext password
>> and use it to compare (in the case of PLAIN and LOGIN), or to use
>> in multi-step negotiation of other mechanisms, such as DIGEST-MD5.
>>
>> The auxprop plugin gives you the ability to authenticate using
>> the PLAIN, LOGIN, DIGEST-MD5, CRAM-MD5, NTLM and OTP mechs (and
>> probably more).
>>
>> saslauthd only gives you the ability to authenticate using PLAIN
>> and LOGIN (I believe), which may or may not be sufficient for you.
>>
>> - Dan
>>
>
> Thanks Dan, im reading and trying to digest all the material available.
>
> What the customer wants is:
>
> 1.- md5-digest between imap client/server (squirrelmail/cyrus-imapd)
> 2.- md5 encrypted passwords stored in mysql db (cyrus-imap-??)
>
> Is this combination possible?
The SASLv1 library used to store a non-plaintext secret for use with
DIGEST-MD5. In fact, it stored separate secrets for each mechanism. In
SASLv2, it was decided to use a single plaintext secret. Part of this
decision was based on the fact that the DIGEST-MD5 secret was tied to
the servername/domain, which made the database non-portable.
--
Kenneth Murchison
Systems Programmer
Project Cyrus Developer/Maintainer
Carnegie Mellon University
More information about the Info-cyrus
mailing list