MD5 Passwords in MySql?

Charles Bradshaw brad at bradcan.homelinux.com
Sun Mar 24 17:03:46 EDT 2013 

Adam

Gently... This question has be asked before, but remains unanswered.

I am using sendmail and cyrus-imapd, not PostFix or LDAP for which the
MD5 password in mysql problem appears to have solved.

On Sun, 2013-03-24 at 14:12 -0400, Adam Tauno Williams wrote:
> On Sun, 2013-03-24 at 14:21 +0000, Charles Bradshaw wrote:
> > In my /etc/imapd.conf I'm using:
> > sasl_auxprop_plugin:sql
> > sasl_sql_engine:mysql
> > I want to store MD5 hashed passwords in my database. Is this possible?
> 
> I would *assume* that the database doesn't much care about the
> hashing/encoding of the password/secret - I'd *assume* it just stores
> and retrieves it.
>

The database might not care, but something does. The question is what?
Or even how to configure cyrus to use MD5 hashed passwords with the sql
plugin.

Because I'm dealing with virtual domains, passwords are stored ONLY in
the database. My users have no accounts or passwords stored elsewhere.

> 
> Concerns for the validity of the secret are up-the-stack, is SASL
> proper, and not in the storage plugin.

OK, specifically, where up the stack is the password checked?

> 
> I could be wrong;  I've mostly dealt with storing credentials in LDAP.

LDAP is a whole other can of worms and not appropriate to my
circumstances.

> 
> > I was thinking about modifying the sql plugin to MD5 the password before
> > comparison, but...
> 
> That seems wrong to me.  Can't you just tell SASL via configuration that
> you want to use MD5?

Obviously I can't! I wouldn't have asked the question otherwise.
Answering a question with the same question is absurd.

> 
> > I'm no C programmer so understanding sql.c (the plugin source) is quite
> > beyond me. It looks as though we just check for the presence of the
> > password and don't actual compare passwords! Surely I'm wrong here?
> 
> That is what I would *assume* it does. And correctly.

So where is the password compared?

> 
> > I could use a symmetric encryption, eg AES, and place the necessary
> > decrypt in the sasl_sql_select statement, but that seems a bit pointless
> > since the key is now visible in various logs.
> 
> That seems very wrong to me.

It might be a kludge, but it's not wrong. It avoids storing plain text
passwords, which are always a risk. The purpose of MD5 digest is to make
passwords truly private to the user. Not even root knows users passwords
when stored in shadow(MD5).

The only risk to shadow passwords is a brute force attack which is
relatively easy to detect and foil.
 
> 
> I wonder why you care are credentials are stored; is SASL authentication
> not working?

No, I have authentication working fine. I care because mysql is the
mechanism I prefer.

> 
> ----
> Cyrus Home Page: http://www.cyrusimap.org/
> List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
> To Unsubscribe:
> https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus

More information about the Info-cyrus mailing list