MD5 Passwords in MySql?

Adam Tauno Williams awilliam at whitemice.org
Mon Mar 25 21:09:08 EDT 2013


On Mon, 2013-03-25 at 17:03 -0500, Scott Lambert wrote:
> On Mon, Mar 25, 2013 at 09:32:16PM +0000, Charles Bradshaw wrote:
> > Andy
> > Thanks for the link. If you read on you will see that while PAM allows
> > storage of encrypted passwords in mysql, DIGEST-MD5 and CRAM-MD5 can
> > then NOT be used. That's definitely as step in the wrong direction.
> > I'm coming to the conclusion that I need understand the code well enough
> > to add something to cyrus, but sadly I'm just too old to grok the tangle
> > of C.
> Basically, Digest-MD5 and CRAM-MD5 avoid passing the cleartext
> password across the wire by hashing something with the cleartext
> password.  These authentication methods require that the cleartext
> password be known (or at least recoverable) by the server and the
> client.

Yep, which was pointed out originally.  If the cred store is encrypted
it needs to be a two-way crypt [can be decrypted].  So you basically
have a crypted filesystem store anyway.

> Therefore, the server cannot be using a non-reversible hash of the
> password for its password store.
> You can store cleartext passwords in your password database and
> avoid passing passwords in cleartext across the wire.
> OR
> You can store hashed passwords in your password database and pass
> cleartext passwords over the wire, hopefully inside an SSL/TLS
> connection.

+1

> If you use crypted MD5 hashed passords in your database, you will
> have to disable Digest-MD5 and CRAM-MD5 in your SASL auth mechanisms.
> My system is not running in that configuration so I am not certain
> that you can tell saslauthd to use a mysql database for encrypted
> password storage.

I use saslauthd to a PostgreSQL database that stores crypted passwords -
but it can only do PLAIN/LOGIN in that configuration, none of the newer
mechs that all the cool kids are using.




More information about the Info-cyrus mailing list