MD5 Passwords in MySql?
Adam Tauno Williams
awilliam at whitemice.org
Sun Mar 24 14:12:17 EDT 2013
On Sun, 2013-03-24 at 14:21 +0000, Charles Bradshaw wrote:
> In my /etc/imapd.conf I'm using:
> sasl_auxprop_plugin:sql
> sasl_sql_engine:mysql
> I want to store MD5 hashed passwords in my database. Is this possible?
I would *assume* that the database doesn't much care about the
hashing/encoding of the password/secret - I'd *assume* it just stores
and retrieves it.
Concerns for the validity of the secret are up-the-stack, is SASL
proper, and not in the storage plugin.
I could be wrong; I've mostly dealt with storing credentials in LDAP.
> I was thinking about modifying the sql plugin to MD5 the password before
> comparison, but...
That seems wrong to me. Can't you just tell SASL via configuration that
you want to use MD5?
> I'm no C programmer so understanding sql.c (the plugin source) is quite
> beyond me. It looks as though we just check for the presence of the
> password and don't actual compare passwords! Surely I'm wrong here?
That is what I would *assume* it does. And correctly.
> I could use a symmetric encryption, eg AES, and place the necessary
> decrypt in the sasl_sql_select statement, but that seems a bit pointless
> since the key is now visible in various logs.
That seems very wrong to me.
I wonder why you care are credentials are stored; is SASL authentication
not working?
More information about the Info-cyrus
mailing list