MD5 Passwords in MySql?
Scott Lambert
lambert at lambertfam.org
Mon Mar 25 18:03:31 EDT 2013
On Mon, Mar 25, 2013 at 09:32:16PM +0000, Charles Bradshaw wrote:
> Andy
>
> Thanks for the link. If you read on you will see that while PAM allows
> storage of encrypted passwords in mysql, DIGEST-MD5 and CRAM-MD5 can
> then NOT be used. That's definitely as step in the wrong direction.
>
> I'm coming to the conclusion that I need understand the code well enough
> to add something to cyrus, but sadly I'm just too old to grok the tangle
> of C.
Basically, Digest-MD5 and CRAM-MD5 avoid passing the cleartext
password across the wire by hashing something with the cleartext
password. These authentication methods require that the cleartext
password be known (or at least recoverable) by the server and the
client.
Therefore, the server cannot be using a non-reversible hash of the
password for its password store.
You can store cleartext passwords in your password database and
avoid passing passwords in cleartext across the wire.
OR
You can store hashed passwords in your password database and pass
cleartext passwords over the wire, hopefully inside an SSL/TLS
connection.
http://en.wikipedia.org/wiki/Digest_access_authentication
http://en.wikipedia.org/wiki/CRAM-MD5
If you use crypted MD5 hashed passords in your database, you will
have to disable Digest-MD5 and CRAM-MD5 in your SASL auth mechanisms.
My system is not running in that configuration so I am not certain
that you can tell saslauthd to use a mysql database for encrypted
password storage.
--
Scott Lambert KC5MLE Unix SysAdmin
lambert at lambertfam.org
More information about the Info-cyrus
mailing list