digest-md5 password store

Carson Gaspar carson at taltos.org
Sat Dec 8 05:20:49 EST 2007

Ken Murchison wrote:

> The SASLv1 library used to store a non-plaintext secret for use with 
> DIGEST-MD5.  In fact, it stored separate secrets for each mechanism.  In 
> SASLv2, it was decided to use a single plaintext secret.  Part of this 
> decision was based on the fact that the DIGEST-MD5 secret was tied to 
> the servername/domain, which made the database non-portable.

And I've complained about that decision ever since. I still maintain 
that it was a _terrible_ idea :-(

As someone else said, it is possible to store an interim hash that is 
user and realm specific to avoid storing the plain text password. If you 
want portability, you just have to use the same realm on all servers in 
the same authentication group. _You_ get to choose the scope of validity 
for the stored secret. Sadly with cyrus-sasl v2 the maintainers have 
chosen for you, and they chose "the entire known universe" :-(


More information about the Info-cyrus mailing list