SASL w/ Encrypted SQL Password Security (Comment, Suggestion and Possible Solution)

Dan White dwhite at
Tue Jan 25 13:08:25 EST 2011

On 25/01/11 12:48 -0500, Raymond T. Sundland wrote:
>    So given that it's been at least 6 years since it's been common
>    security practice to not store cleartext passwords in a database, why
>    does SASL still require it?  Can't SASL be modified to accept
>    some token from the SQL query that basically says, "yes the password
>    you gave me matches" ??

SASL provides saslauthd for simple password verification against hashes,
which you could use along with a SQL PAM module to authenticate against
Postgres (sasl_pwcheck_method: saslauthd, with a '-a pam' passed to

Access to passwords stored in the clear (using an auxprop module) is
really only necessary if you're using shared secret authentication
mechanisms, such as DIGEST-MD5. 

With that said, there appears to be a patch within 2.1.24rc1 which would
allow you to store your passwords md5 hashed, and configure
'sasl_pwcheck_method: auxprop-hashed' to do what you want (but without
shared secret functionality).

Dan White

More information about the Info-cyrus mailing list