digest-md5 password store

Janne Peltonen janne.peltonen at helsinki.fi
Fri Dec 7 08:35:33 EST 2007


On Wed, Dec 05, 2007 at 09:26:58AM -0600, Dan White wrote:
> The auxprop plugin gives you the ability to authenticate using 
> the PLAIN, LOGIN, DIGEST-MD5, CRAM-MD5, NTLM and OTP mechs (and 
> probably more).
> 
> saslauthd only gives you the ability to authenticate using PLAIN 
> and LOGIN (I believe), which may or may not be sufficient for you.

Not true. pwcheck_method refers only to the /plaintext/ authentication
method. That is, even with pwcheck_method: saslauthd, you can use any
authentication method you wish. It's only that only the PLAIN and LOGIN
(where LOGIN is not actually a sasl method but the IMAP LOGIN command)
go through saslauthd. Other authentication methods use the corresponding
sasl library plugins.

I have a running Murder where all the murder-internal technical accounts
are to be found in /etc/sasldb2, and authenticated to using DIGEST-MD5,
whereas the "real" user accounts are authenticated using PLAIN/LOGIN and
saslauthd->pam->pam-radius->radius. Frontends don't have the DIGEST-MD5
method enabled, so that clients won't try to authenticate using it.


--Janne Peltonen
Univ of Helsinki
-- 
Janne Peltonen <janne.peltonen at helsinki.fi>


More information about the Info-cyrus mailing list