Best/Easiest method using encrypted password in MySQL DB

Dan White dwhite at olp.net
Fri Jan 29 23:51:10 EST 2010


On 29/01/10 19:00 -0800, Nybbles2Byte wrote:
>I don't think I can say much more than the title.  Cyrus seems to be running well but I would like to have the password in the MySQL DB encrypted. 
>
>Does anyone have a "best way" of implementing that?
>
>My only criteria is that Postfix looks up the same table for user info. so whatever the implementation is Postfix has to be able to read/decrypt the encrypted password as well.

There are a couple of options via saslauthd:

1) Have saslauthd use the PAM backend, and the pam_mysql module to perform
password verification.

2) Have saslauthd to use the PAM backend, and use the standard pam_unix
module along with an NSS mysql library which allows you to store
password/shadow information in mysql.

There may also be a way to authenticate against hashed auxprop attributes
in the upcoming sasl 2.1.24 release, but I don't have any examples of how
that will work (see the NEWS file in the 2.1.24rc1 release for more info).

You should be aware that any of these methods will disallow the use of SASL
security layers. You will need to use SSL/TLS or another external security
mechanism to protect the transmission of passwords over the network.

-- 
Dan White


More information about the Info-cyrus mailing list