digest-md5 password store
Carson Gaspar
carson at taltos.org
Sat Dec 8 05:20:49 EST 2007
Ken Murchison wrote:
> The SASLv1 library used to store a non-plaintext secret for use with
> DIGEST-MD5. In fact, it stored separate secrets for each mechanism. In
> SASLv2, it was decided to use a single plaintext secret. Part of this
> decision was based on the fact that the DIGEST-MD5 secret was tied to
> the servername/domain, which made the database non-portable.
And I've complained about that decision ever since. I still maintain
that it was a _terrible_ idea :-(
As someone else said, it is possible to store an interim hash that is
user and realm specific to avoid storing the plain text password. If you
want portability, you just have to use the same realm on all servers in
the same authentication group. _You_ get to choose the scope of validity
for the stored secret. Sadly with cyrus-sasl v2 the maintainers have
chosen for you, and they chose "the entire known universe" :-(
--
Carson
More information about the Info-cyrus
mailing list