SASL w/ Encrypted SQL Password Security (Comment, Suggestion and Possible Solution)
Gabriele Bulfon
gbulfon at sonicle.com
Wed Jan 26 05:24:12 EST 2011
Hi, interesting that I was delving into the same problem with the same tools just one mail later :)
I use SHA encryption in my postgres.
Your idea was very good, pity you found it's not working...
Did you find alternatives?
Gabriele.
----------------------------------------------------------------------------------
Da: Raymond T. Sundland
A: Dan White
Cc: info-cyrus at lists.andrew.cmu.edu
Data: 25 gennaio 2011 19.52.42 CET
Oggetto: Re: SASL w/ Encrypted SQL Password Security (Comment, Suggestion and Possible Solution)
Thanks for the explanation. Though, I would prefer something better
than MD5 since it has been broken for years.
As for my "hack", it doesn't work because I mis-read what %p was,
thinking it was the password, not the column to look for... so back to
the drawing board. I will look at using something like kerberos, but it
seems like an awful lot of work given my installation requirements. I'm
up for the challenge, nonetheless.
Thanks again.
On 1/25/2011 1:08 PM, Dan White wrote:
On 25/01/11 12:48 -0500, Raymond T. Sundland wrote:
So given that it's been at least 6 years since it's been common
security practice to not store cleartext passwords in a database, why
does SASL still require it? Can't SASL be modified to accept
some token from the SQL query that basically says, "yes the password
you gave me matches" ??
SASL provides saslauthd for simple password verification against hashes,
which you could use along with a SQL PAM module to authenticate against
Postgres (sasl_pwcheck_method: saslauthd, with a '-a pam' passed to
saslauthd).
Access to passwords stored in the clear (using an auxprop module) is
really only necessary if you're using shared secret authentication
mechanisms, such as DIGEST-MD5.
With that said, there appears to be a patch within 2.1.24rc1 which would
allow you to store your passwords md5 hashed, and configure
'sasl_pwcheck_method: auxprop-hashed' to do what you want (but without
shared secret functionality).
----
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20110126/04a55522/attachment.html
More information about the Info-cyrus
mailing list