MD5 Passwords in MySql?

Kari Hurtta hurtta+cyrus-info at leija.mh.fmi.fi
Mon Apr 1 13:21:01 EDT 2013


Scott Lambert <lambert at lambertfam.org>: (Tue Mar 26 00:03:31 2013)
> On Mon, Mar 25, 2013 at 09:32:16PM +0000, Charles Bradshaw wrote:
> > Andy
> > 
> > Thanks for the link. If you read on you will see that while PAM allows
> > storage of encrypted passwords in mysql, DIGEST-MD5 and CRAM-MD5 can
> > then NOT be used. That's definitely as step in the wrong direction.
> > 
> > I'm coming to the conclusion that I need understand the code well enough
> > to add something to cyrus, but sadly I'm just too old to grok the tangle
> > of C.
> 
> Basically, Digest-MD5 and CRAM-MD5 avoid passing the cleartext
> password across the wire by hashing something with the cleartext
> password.  These authentication methods require that the cleartext
> password be known (or at least recoverable) by the server and the
> client.
> 
> Therefore, the server cannot be using a non-reversible hash of the
> password for its password store.
> 
> You can store cleartext passwords in your password database and
> avoid passing passwords in cleartext across the wire.
> 
> OR
> 
> You can store hashed passwords in your password database and pass
> cleartext passwords over the wire, hopefully inside an SSL/TLS
> connection.
> 
> http://en.wikipedia.org/wiki/Digest_access_authentication
> 
> http://en.wikipedia.org/wiki/CRAM-MD5
> 
> If you use crypted MD5 hashed passords in your database, you will
> have to disable Digest-MD5 and CRAM-MD5 in your SASL auth mechanisms.
> 
> My system is not running in that configuration so I am not certain
> that you can tell saslauthd to use a mysql database for encrypted
> password storage.

Secure Remote Password (SRP)   may allow same time storing "hashed"
passwords on password database and pass only challenge on wire

but that is different authentication method and unlikely to be supported.
It does not matter if your server supports it, if there is no clients.

And there is only

RFC 5054: Using the Secure Remote Password (SRP) Protocol for TLS Authentication

RFC 2945: The SRP Authentication and Key Exchange System
RFC 2944: Telnet Authentication: SRP

That is not a SASL method.
 
> -- 
> Scott Lambert                    KC5MLE                       Unix SysAdmin
> lambert at lambertfam.org
> ----
> Cyrus Home Page: http://www.cyrusimap.org/
> List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
> To Unsubscribe:
> https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus

/ Kari Hurtta



More information about the Info-cyrus mailing list