Re: Migrating people away from un-encrypted passwd

Mon, 09 Sep 2002 15:37:18 -0700 

On Mon, 9 Sep 2002, Max Okumoto wrote:
> Our current goal is to migrate everyone to imapd/ipop3d over ssl. We
> are going to let them use plaintext passwds inside of the ssl tunnel.

SSL tunnel?  You're not going to use imapd's native SSL support (which
also includes TLS support)?

If you use imapd's native SSL support, then you can add a routine to file
imap-????/src/osdep/unix/sslstdio.c that returns whether or not SSL or TLS
is in effect, something like

int check_if_session_encrypted (void)
{
  return sslstdio ? T : NIL;
}

Next, in imapd.c, you might want to modify the successful authentication
syslogs.  Do something like:

Change:
            syslog (LOG_INFO,"Authenticated user=%.80s host=%.80s",
                    user,tcp_clienthost ());
to:
            syslog (LOG_INFO,"Authenticated %s SSL=%s user=%.80s host=%.80s",
                    s,check_if_session_encrypted () ? "yes" : "no",
                    user,tcp_clienthost ());
and change:
             syslog (LOG_INFO,"Login SSL=%s user=%.80s host=%.80s",
                     check_if_sessions_encrypted () ? "yes" : "no",
                     user,tcp_clienthost ());

Now, what you want to look for is "SSL=no".  "SSL=yes" is for both TLS and
SSL connections.

If you use a non-plaintext authentication mechanism (such as GSSAPI or
CRAM-MD5), you will want to filter those out from the log, e.g.

grep SSL=no syslog | grep -v CRAM-MD5

> The final goal is to only support imapd over ssl.

You should continue to allow port 143 sessions, since TLS uses port 143
with the STARTTLS command.  Port 993 (SSL) is obsolete.

To disable plaintext passwords when the session is not encrypted (but
allow passwords when the session is encrypted), build the IMAP toolkit
with the option SSLTYPE=nopwd

-- Mark --

http://staff.washington.edu/mrc
Science does not emerge from voting, party politics, or public debate.

"A single glass of champagne imparts a feeling of exhiliaration.  The
nerves are braced; the imagination is agreeably strirred; the wits become
more nimble.  A bottle produces a contrary effect.  Excess causes a
comatose insensibility.  So it is with war; and the quality of both is
best discovered by sipping."  -- Winston Churchill

Reply via email to