On 25 Feb 2003, Rodolfo J. Paiz wrote: > On Mon, 2003-02-24 at 23:18, Gordon Messmer wrote: > > In order to use the *-MD5 AUTH types, you must use saslpasswd to store > > the users' plain text password in /etc/sasldb. > > Thank you. But how is this a good thing? Even /etc/shadow is encrypted, > for God's sake...
It's a principle of the encryption/hash algorythms used. You either have to store the encrypted password and send the plain text version (as with /etc/shadow) or store the plain text password and send a hashed version (as with APOP, CRAM-MD5, CRAM-SHA1, DIGEST-MD5, etc). You can't store an encrypted version and also send an encrypted version over the wire, because there's no way to compare the two. We just had a very long discussion about this on the Courier-MTA list, around the end of which someone mentioned SRP as a technology without that limitation. When I get an internet connection at home again (I'm moving), I'll be looking into that more. I wonder why it's not more widely used? -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list