MD5 Passwords in MySql?
Charles Bradshaw
brad at bradcan.homelinux.com
Tue Mar 26 06:17:33 EDT 2013
Thanks Guys
I think it's finally sunk in. DIGEST-MD5 and CRAM-MD5 are mutually
exclusive with hashed passwords.
D'oh! I think I even posted that fact in answer to a previous thread.
On Mon, 2013-03-25 at 21:09 -0400, Adam Tauno Williams wrote:
> On Mon, 2013-03-25 at 17:03 -0500, Scott Lambert wrote:
> > On Mon, Mar 25, 2013 at 09:32:16PM +0000, Charles Bradshaw wrote:
> > > Andy
> > > Thanks for the link. If you read on you will see that while PAM allows
> > > storage of encrypted passwords in mysql, DIGEST-MD5 and CRAM-MD5 can
> > > then NOT be used. That's definitely as step in the wrong direction.
> > > I'm coming to the conclusion that I need understand the code well enough
> > > to add something to cyrus, but sadly I'm just too old to grok the tangle
> > > of C.
> > Basically, Digest-MD5 and CRAM-MD5 avoid passing the cleartext
> > password across the wire by hashing something with the cleartext
> > password. These authentication methods require that the cleartext
> > password be known (or at least recoverable) by the server and the
> > client.
>
> Yep, which was pointed out originally. If the cred store is encrypted
> it needs to be a two-way crypt [can be decrypted]. So you basically
> have a crypted filesystem store anyway.
>
> > Therefore, the server cannot be using a non-reversible hash of the
> > password for its password store.
> > You can store cleartext passwords in your password database and
> > avoid passing passwords in cleartext across the wire.
> > OR
> > You can store hashed passwords in your password database and pass
> > cleartext passwords over the wire, hopefully inside an SSL/TLS
> > connection.
>
> +1
>
> > If you use crypted MD5 hashed passords in your database, you will
> > have to disable Digest-MD5 and CRAM-MD5 in your SASL auth mechanisms.
> > My system is not running in that configuration so I am not certain
> > that you can tell saslauthd to use a mysql database for encrypted
> > password storage.
>
> I use saslauthd to a PostgreSQL database that stores crypted passwords -
> but it can only do PLAIN/LOGIN in that configuration, none of the newer
> mechs that all the cool kids are using.
>
>
> ----
> Cyrus Home Page: http://www.cyrusimap.org/
> List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
> To Unsubscribe:
> https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
More information about the Info-cyrus
mailing list