MD5 Passwords in MySql?
In my /etc/imapd.conf I'm using: sasl_auxprop_plugin:sql sasl_sql_engine:mysql I want to store MD5 hashed passwords in my database. Is this possible? I was thinking about modifying the sql plugin to MD5 the password before comparison, but... I'm no C programmer so understanding sql.c (the plugin source) is quite beyond me. It looks as though we just check for the presence of the password and don't actual compare passwords! Surely I'm wrong here? I could use a symmetric encryption, eg AES, and place the necessary decrypt in the sasl_sql_select statement, but that seems a bit pointless since the key is now visible in various logs. Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: MD5 Passwords in MySql?
On Sun, 2013-03-24 at 14:21 +, Charles Bradshaw wrote: > In my /etc/imapd.conf I'm using: > sasl_auxprop_plugin:sql > sasl_sql_engine:mysql > I want to store MD5 hashed passwords in my database. Is this possible? I would *assume* that the database doesn't much care about the hashing/encoding of the password/secret - I'd *assume* it just stores and retrieves it. Concerns for the validity of the secret are up-the-stack, is SASL proper, and not in the storage plugin. I could be wrong; I've mostly dealt with storing credentials in LDAP. > I was thinking about modifying the sql plugin to MD5 the password before > comparison, but... That seems wrong to me. Can't you just tell SASL via configuration that you want to use MD5? > I'm no C programmer so understanding sql.c (the plugin source) is quite > beyond me. It looks as though we just check for the presence of the > password and don't actual compare passwords! Surely I'm wrong here? That is what I would *assume* it does. And correctly. > I could use a symmetric encryption, eg AES, and place the necessary > decrypt in the sasl_sql_select statement, but that seems a bit pointless > since the key is now visible in various logs. That seems very wrong to me. I wonder why you care are credentials are stored; is SASL authentication not working? Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: MD5 Passwords in MySql?
Adam Gently... This question has be asked before, but remains unanswered. I am using sendmail and cyrus-imapd, not PostFix or LDAP for which the MD5 password in mysql problem appears to have solved. On Sun, 2013-03-24 at 14:12 -0400, Adam Tauno Williams wrote: > On Sun, 2013-03-24 at 14:21 +, Charles Bradshaw wrote: > > In my /etc/imapd.conf I'm using: > > sasl_auxprop_plugin:sql > > sasl_sql_engine:mysql > > I want to store MD5 hashed passwords in my database. Is this possible? > > I would *assume* that the database doesn't much care about the > hashing/encoding of the password/secret - I'd *assume* it just stores > and retrieves it. > The database might not care, but something does. The question is what? Or even how to configure cyrus to use MD5 hashed passwords with the sql plugin. Because I'm dealing with virtual domains, passwords are stored ONLY in the database. My users have no accounts or passwords stored elsewhere. > > Concerns for the validity of the secret are up-the-stack, is SASL > proper, and not in the storage plugin. OK, specifically, where up the stack is the password checked? > > I could be wrong; I've mostly dealt with storing credentials in LDAP. LDAP is a whole other can of worms and not appropriate to my circumstances. > > > I was thinking about modifying the sql plugin to MD5 the password before > > comparison, but... > > That seems wrong to me. Can't you just tell SASL via configuration that > you want to use MD5? Obviously I can't! I wouldn't have asked the question otherwise. Answering a question with the same question is absurd. > > > I'm no C programmer so understanding sql.c (the plugin source) is quite > > beyond me. It looks as though we just check for the presence of the > > password and don't actual compare passwords! Surely I'm wrong here? > > That is what I would *assume* it does. And correctly. So where is the password compared? > > > I could use a symmetric encryption, eg AES, and place the necessary > > decrypt in the sasl_sql_select statement, but that seems a bit pointless > > since the key is now visible in various logs. > > That seems very wrong to me. It might be a kludge, but it's not wrong. It avoids storing plain text passwords, which are always a risk. The purpose of MD5 digest is to make passwords truly private to the user. Not even root knows users passwords when stored in shadow(MD5). The only risk to shadow passwords is a brute force attack which is relatively easy to detect and foil. > > I wonder why you care are credentials are stored; is SASL authentication > not working? No, I have authentication working fine. I care because mysql is the mechanism I prefer. > > > Cyrus Home Page: http://www.cyrusimap.org/ > List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ > To Unsubscribe: > https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: MD5 Passwords in MySql?
On 25/03/2013, at 7:33, Charles Bradshaw wrote: >> That seems very wrong to me. > > It might be a kludge, but it's not wrong. It avoids storing plain text > passwords, which are always a risk. The purpose of MD5 digest is to make > passwords truly private to the user. Not even root knows users passwords > when stored in shadow(MD5). > > The only risk to shadow passwords is a brute force attack which is > relatively easy to detect and foil. FYI a single round of MD5 is considered quite weak these days. The whole point of hashing a password is to make it difficult to find a password if the password DB is leaked. MD5 is no longer sufficient for this (even with salt). A modern GPU can brute force billions of passwords per second and humans suck at generating them. -- Daniel O'Connor software and network engineer for Genesis Software - http://www.gsoft.com.au "The nice thing about standards is that there are so many of them to choose from." -- Andrew Tanenbaum GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: MD5 Passwords in MySql?
Daniel Yes I understand and accept the weakness of MD5. In the world of exponentially increasing processing power there will always be weakness, of ANY scheme. The question is not however about the efficacy of encryption methods! It's about how to achieve password hashing in a mysql database. I have indicated how to use AES. Its' strength however is compromised by the necessity of revealing the key in many places. I would be most great-full, if anybody KNOWS: Is there a way to store MD5 hashed passwords when using the mysql plugin? Security through obscurity is always a bad principle. On Mon, 2013-03-25 at 08:59 +1030, Daniel O'Connor wrote: > On 25/03/2013, at 7:33, Charles Bradshaw wrote: > >> That seems very wrong to me. > > > > It might be a kludge, but it's not wrong. It avoids storing plain text > > passwords, which are always a risk. The purpose of MD5 digest is to make > > passwords truly private to the user. Not even root knows users passwords > > when stored in shadow(MD5). > > > > The only risk to shadow passwords is a brute force attack which is > > relatively easy to detect and foil. > > FYI a single round of MD5 is considered quite weak these days. > > The whole point of hashing a password is to make it difficult to find a > password if the password DB is leaked. MD5 is no longer sufficient for this > (even with salt). > > A modern GPU can brute force billions of passwords per second and humans suck > at generating them. > > -- > Daniel O'Connor software and network engineer Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: MD5 Passwords in MySql?
On Mon, 2013-03-25 at 11:40 +, Charles Bradshaw wrote: > Yes I understand and accept the weakness of MD5. In the world of > exponentially increasing processing power there will always be weakness, > of ANY scheme. > The question is not however about the efficacy of encryption methods! > It's about how to achieve password hashing in a mysql database. > I have indicated how to use AES. Its' strength however is compromised by > the necessity of revealing the key in many places. > I would be most great-full, if anybody KNOWS: > Is there a way to store MD5 hashed passwords when using the mysql > plugin? I have no clue. BUT I still wonder what the end-goal is. If you are actually worried about theft of the underlying database then it would seem volume encryption is the correct answer - encrypt the entire database, on disk. That isn't hard and doesn't require modification of any software. Anyway, storing essentially clear-text credentials in the authorization database (be it a KDC, an LDAP server, an Active Directory server, etc...) is normal, accepted, and common. Most worthwhile authorization schemes require an 'effectively' clear-text secret on both ends. Guard the credential database and ensure communication channels are secure [encrypted]. "Make /etc/passwd useless" is an abandoned meme, you cannot win that fight. > Security through obscurity is always a bad principle. No one here is recommending that or stating that it is. > On Mon, 2013-03-25 at 08:59 +1030, Daniel O'Connor wrote: > > On 25/03/2013, at 7:33, Charles Bradshaw wrote: > > >> That seems very wrong to me. > > > It might be a kludge, but it's not wrong. It avoids storing plain text > > > passwords, which are always a risk. The purpose of MD5 digest is to make > > > passwords truly private to the user. Not even root knows users passwords > > > when stored in shadow(MD5). > > > The only risk to shadow passwords is a brute force attack which is > > > relatively easy to detect and foil. > > FYI a single round of MD5 is considered quite weak these days. > > The whole point of hashing a password is to make it difficult to find a > > password if the password DB is leaked. MD5 is no longer sufficient for this > > (even with salt). > > A modern GPU can brute force billions of passwords per second and humans > > suck at generating them. Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: MD5 Passwords in MySql?
Adam The end goal was simply stated previously: 'To store MD5 hashed passwords in a mysql database'. My reasons for wanting to do so are complex and NOT the subject of the thread. Had I been seeking general advice about possibilities I might have asked: Is it advisable to do such and such? Or maybe, what do you advise as a method of increasing security of the password file? We could debate the pros and cons or various security stratagems for ever! I suggest that this is not the place to do so. For starters the internet is becoming swamped with: "Well why don't you use Dovecot and Postfix, they're much simpler to configure?" or "Why don't you use XYZ because I find it blah balh blah?" In my view, understanding network security, with a view to making educated decisions, is better accomplished by studying the some of the many excellent books on the subject, and vigilance of the emergent cracking techniques. Sadly mailing list are becoming increasingly useless because of the phenomenon of answering questions with, oft, irrelevant questions! It is gratifying, but wholly pointless, that somebody says; "I have no clue." It seems entirely reasonable to me to MD5 the raw passwords because it provides a simple extra layer of defence against a penetrated password file. Yes, a further layer might be to encrypt the entire disk, but at what cost? Who knows, I might be running my database on a 486 with slow old IDE disk drives! No, I don't, but you will take the point. Since it is clear that nobody knows how to do the MD5 thing out of the box, or perhaps it's impossible? Maybe I'll resort to reading the code with a view to doing my own mod. Hum.. probably not though, the code is evil! On Mon, 2013-03-25 at 07:50 -0400, Adam Tauno Williams wrote: > On Mon, 2013-03-25 at 11:40 +, Charles Bradshaw wrote: > > Yes I understand and accept the weakness of MD5. In the world of > > exponentially increasing processing power there will always be weakness, > > of ANY scheme. > > The question is not however about the efficacy of encryption methods! > > It's about how to achieve password hashing in a mysql database. > > I have indicated how to use AES. Its' strength however is compromised by > > the necessity of revealing the key in many places. > > I would be most great-full, if anybody KNOWS: > > Is there a way to store MD5 hashed passwords when using the mysql > > plugin? > > I have no clue. BUT I still wonder what the end-goal is. If you are > actually worried about theft of the underlying database then it would > seem volume encryption is the correct answer - encrypt the entire > database, on disk. That isn't hard and doesn't require modification of > any software. > > Anyway, storing essentially clear-text credentials in the authorization > database (be it a KDC, an LDAP server, an Active Directory server, > etc...) is normal, accepted, and common. Most worthwhile authorization > schemes require an 'effectively' clear-text secret on both ends. Guard > the credential database and ensure communication channels are secure > [encrypted]. "Make /etc/passwd useless" is an abandoned meme, you > cannot win that fight. > > > Security through obscurity is always a bad principle. > > No one here is recommending that or stating that it is. > > > On Mon, 2013-03-25 at 08:59 +1030, Daniel O'Connor wrote: > > > On 25/03/2013, at 7:33, Charles Bradshaw > > > wrote: > > > >> That seems very wrong to me. > > > > It might be a kludge, but it's not wrong. It avoids storing plain text > > > > passwords, which are always a risk. The purpose of MD5 digest is to make > > > > passwords truly private to the user. Not even root knows users passwords > > > > when stored in shadow(MD5). > > > > The only risk to shadow passwords is a brute force attack which is > > > > relatively easy to detect and foil. > > > FYI a single round of MD5 is considered quite weak these days. > > > The whole point of hashing a password is to make it difficult to find a > > > password if the password DB is leaked. MD5 is no longer sufficient for > > > this (even with salt). > > > A modern GPU can brute force billions of passwords per second and humans > > > suck at generating them. > Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: MD5 Passwords in MySql?
On Sun, 24 Mar 2013, Charles Bradshaw wrote: > In my /etc/imapd.conf I'm using: > > sasl_auxprop_plugin:sql > sasl_sql_engine:mysql > > I want to store MD5 hashed passwords in my database. Is this possible? > > I was thinking about modifying the sql plugin to MD5 the password before > comparison, but... > > I'm no C programmer so understanding sql.c (the plugin source) is quite > beyond me. It looks as though we just check for the presence of the > password and don't actual compare passwords! Surely I'm wrong here? > > I could use a symmetric encryption, eg AES, and place the necessary > decrypt in the sasl_sql_select statement, but that seems a bit pointless > since the key is now visible in various logs. This could be illuminating: http://serverfault.com/questions/81958/postfix-sasl-mysql-use-md5-encryption They suggest using the pam_mysql module so that you can specify the password storage format. It appears the SQL auxprop plugin only works with passwords stored in plaintext. Andy Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: MD5 Passwords in MySql?
Andy Thanks for the link. If you read on you will see that while PAM allows storage of encrypted passwords in mysql, DIGEST-MD5 and CRAM-MD5 can then NOT be used. That's definitely as step in the wrong direction. I'm coming to the conclusion that I need understand the code well enough to add something to cyrus, but sadly I'm just too old to grok the tangle of C. I think the thread is now dead. Thanks for all contributions. Charles Bradshaw. On Mon, 2013-03-25 at 13:56 -0700, Andrew Morgan wrote: > On Sun, 24 Mar 2013, Charles Bradshaw wrote: > > > In my /etc/imapd.conf I'm using: > > > > sasl_auxprop_plugin:sql > > sasl_sql_engine:mysql > > > > I want to store MD5 hashed passwords in my database. Is this possible? > > > > I was thinking about modifying the sql plugin to MD5 the password before > > comparison, but... > > > > I'm no C programmer so understanding sql.c (the plugin source) is quite > > beyond me. It looks as though we just check for the presence of the > > password and don't actual compare passwords! Surely I'm wrong here? > > > > I could use a symmetric encryption, eg AES, and place the necessary > > decrypt in the sasl_sql_select statement, but that seems a bit pointless > > since the key is now visible in various logs. > > This could be illuminating: > > > http://serverfault.com/questions/81958/postfix-sasl-mysql-use-md5-encryption > > They suggest using the pam_mysql module so that you can specify the > password storage format. > > It appears the SQL auxprop plugin only works with passwords stored in > plaintext. > > Andy Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: MD5 Passwords in MySql?
On Mon, Mar 25, 2013 at 09:32:16PM +, Charles Bradshaw wrote: > Andy > > Thanks for the link. If you read on you will see that while PAM allows > storage of encrypted passwords in mysql, DIGEST-MD5 and CRAM-MD5 can > then NOT be used. That's definitely as step in the wrong direction. > > I'm coming to the conclusion that I need understand the code well enough > to add something to cyrus, but sadly I'm just too old to grok the tangle > of C. Basically, Digest-MD5 and CRAM-MD5 avoid passing the cleartext password across the wire by hashing something with the cleartext password. These authentication methods require that the cleartext password be known (or at least recoverable) by the server and the client. Therefore, the server cannot be using a non-reversible hash of the password for its password store. You can store cleartext passwords in your password database and avoid passing passwords in cleartext across the wire. OR You can store hashed passwords in your password database and pass cleartext passwords over the wire, hopefully inside an SSL/TLS connection. http://en.wikipedia.org/wiki/Digest_access_authentication http://en.wikipedia.org/wiki/CRAM-MD5 If you use crypted MD5 hashed passords in your database, you will have to disable Digest-MD5 and CRAM-MD5 in your SASL auth mechanisms. My system is not running in that configuration so I am not certain that you can tell saslauthd to use a mysql database for encrypted password storage. -- Scott LambertKC5MLE Unix SysAdmin lamb...@lambertfam.org Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: MD5 Passwords in MySql?
On Mon, 2013-03-25 at 17:03 -0500, Scott Lambert wrote: > On Mon, Mar 25, 2013 at 09:32:16PM +, Charles Bradshaw wrote: > > Andy > > Thanks for the link. If you read on you will see that while PAM allows > > storage of encrypted passwords in mysql, DIGEST-MD5 and CRAM-MD5 can > > then NOT be used. That's definitely as step in the wrong direction. > > I'm coming to the conclusion that I need understand the code well enough > > to add something to cyrus, but sadly I'm just too old to grok the tangle > > of C. > Basically, Digest-MD5 and CRAM-MD5 avoid passing the cleartext > password across the wire by hashing something with the cleartext > password. These authentication methods require that the cleartext > password be known (or at least recoverable) by the server and the > client. Yep, which was pointed out originally. If the cred store is encrypted it needs to be a two-way crypt [can be decrypted]. So you basically have a crypted filesystem store anyway. > Therefore, the server cannot be using a non-reversible hash of the > password for its password store. > You can store cleartext passwords in your password database and > avoid passing passwords in cleartext across the wire. > OR > You can store hashed passwords in your password database and pass > cleartext passwords over the wire, hopefully inside an SSL/TLS > connection. +1 > If you use crypted MD5 hashed passords in your database, you will > have to disable Digest-MD5 and CRAM-MD5 in your SASL auth mechanisms. > My system is not running in that configuration so I am not certain > that you can tell saslauthd to use a mysql database for encrypted > password storage. I use saslauthd to a PostgreSQL database that stores crypted passwords - but it can only do PLAIN/LOGIN in that configuration, none of the newer mechs that all the cool kids are using. Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: MD5 Passwords in MySql?
Thanks Guys I think it's finally sunk in. DIGEST-MD5 and CRAM-MD5 are mutually exclusive with hashed passwords. D'oh! I think I even posted that fact in answer to a previous thread. On Mon, 2013-03-25 at 21:09 -0400, Adam Tauno Williams wrote: > On Mon, 2013-03-25 at 17:03 -0500, Scott Lambert wrote: > > On Mon, Mar 25, 2013 at 09:32:16PM +, Charles Bradshaw wrote: > > > Andy > > > Thanks for the link. If you read on you will see that while PAM allows > > > storage of encrypted passwords in mysql, DIGEST-MD5 and CRAM-MD5 can > > > then NOT be used. That's definitely as step in the wrong direction. > > > I'm coming to the conclusion that I need understand the code well enough > > > to add something to cyrus, but sadly I'm just too old to grok the tangle > > > of C. > > Basically, Digest-MD5 and CRAM-MD5 avoid passing the cleartext > > password across the wire by hashing something with the cleartext > > password. These authentication methods require that the cleartext > > password be known (or at least recoverable) by the server and the > > client. > > Yep, which was pointed out originally. If the cred store is encrypted > it needs to be a two-way crypt [can be decrypted]. So you basically > have a crypted filesystem store anyway. > > > Therefore, the server cannot be using a non-reversible hash of the > > password for its password store. > > You can store cleartext passwords in your password database and > > avoid passing passwords in cleartext across the wire. > > OR > > You can store hashed passwords in your password database and pass > > cleartext passwords over the wire, hopefully inside an SSL/TLS > > connection. > > +1 > > > If you use crypted MD5 hashed passords in your database, you will > > have to disable Digest-MD5 and CRAM-MD5 in your SASL auth mechanisms. > > My system is not running in that configuration so I am not certain > > that you can tell saslauthd to use a mysql database for encrypted > > password storage. > > I use saslauthd to a PostgreSQL database that stores crypted passwords - > but it can only do PLAIN/LOGIN in that configuration, none of the newer > mechs that all the cool kids are using. > > > > Cyrus Home Page: http://www.cyrusimap.org/ > List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ > To Unsubscribe: > https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: MD5 Passwords in MySql?
On Tue, 2013-03-26 at 10:17 +, Charles Bradshaw wrote: > Thanks Guys > I think it's finally sunk in. DIGEST-MD5 and CRAM-MD5 are mutually > exclusive with hashed passwords. > D'oh! I think I even posted that fact in answer to a previous thread. No problem, it happens to us all. Yesterday I posted two messages to lists relating to issues that as soon as I posted them I found the answers right there in the documentation. Right there! I swear I had already looked twice. Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: MD5 Passwords in MySql?
On 03/24/13 14:21 +, Charles Bradshaw wrote: >In my /etc/imapd.conf I'm using: > >sasl_auxprop_plugin:sql >sasl_sql_engine:mysql > >I want to store MD5 hashed passwords in my database. Is this possible? SASL 2.1.26 contains support for 'pwcheck_method: auxprop-hashed', but it is undocumented. I believe it's based on a previously circulated patch that you google for. Using such a configuration will require you to use the PLAIN or LOGIN mechanisms (or pre-sasl login/pass IMAP authentication). -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: MD5 Passwords in MySql?
Scott Lambert : (Tue Mar 26 00:03:31 2013) > On Mon, Mar 25, 2013 at 09:32:16PM +, Charles Bradshaw wrote: > > Andy > > > > Thanks for the link. If you read on you will see that while PAM allows > > storage of encrypted passwords in mysql, DIGEST-MD5 and CRAM-MD5 can > > then NOT be used. That's definitely as step in the wrong direction. > > > > I'm coming to the conclusion that I need understand the code well enough > > to add something to cyrus, but sadly I'm just too old to grok the tangle > > of C. > > Basically, Digest-MD5 and CRAM-MD5 avoid passing the cleartext > password across the wire by hashing something with the cleartext > password. These authentication methods require that the cleartext > password be known (or at least recoverable) by the server and the > client. > > Therefore, the server cannot be using a non-reversible hash of the > password for its password store. > > You can store cleartext passwords in your password database and > avoid passing passwords in cleartext across the wire. > > OR > > You can store hashed passwords in your password database and pass > cleartext passwords over the wire, hopefully inside an SSL/TLS > connection. > > http://en.wikipedia.org/wiki/Digest_access_authentication > > http://en.wikipedia.org/wiki/CRAM-MD5 > > If you use crypted MD5 hashed passords in your database, you will > have to disable Digest-MD5 and CRAM-MD5 in your SASL auth mechanisms. > > My system is not running in that configuration so I am not certain > that you can tell saslauthd to use a mysql database for encrypted > password storage. Secure Remote Password (SRP) may allow same time storing "hashed" passwords on password database and pass only challenge on wire but that is different authentication method and unlikely to be supported. It does not matter if your server supports it, if there is no clients. And there is only RFC 5054: Using the Secure Remote Password (SRP) Protocol for TLS Authentication RFC 2945: The SRP Authentication and Key Exchange System RFC 2944: Telnet Authentication: SRP That is not a SASL method. > -- > Scott LambertKC5MLE Unix SysAdmin > lamb...@lambertfam.org > > Cyrus Home Page: http://www.cyrusimap.org/ > List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ > To Unsubscribe: > https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus / Kari Hurtta Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: MD5 Passwords in MySql?
Further to our previous discussion on the possibility of storing hashed passwords in the imap authentication database. I draw your attention to: http://www.ietf.org/rfc/rfc2195.txt, which abstract clearly states; "This specification provides a simple challenge-response authentication protocol that is suitable for use with IMAP4. Since it utilizes Keyed-MD5 digests and does not require that the secret be stored in the clear on the server". While I don't fully understand the cryptography details of the proposal it is clear that the requirement to avoid storing clear text passwords while retaining the security advantages of challenge-response is possible. Is there the possibility to implement this? Charles Bradshaw On Tue, 2013-03-26 at 08:00 -0400, Adam Tauno Williams wrote: > On Tue, 2013-03-26 at 10:17 +, Charles Bradshaw wrote: > > Thanks Guys > > I think it's finally sunk in. DIGEST-MD5 and CRAM-MD5 are mutually > > exclusive with hashed passwords. > > D'oh! I think I even posted that fact in answer to a previous thread. > > No problem, it happens to us all. Yesterday I posted two messages to > lists relating to issues that as soon as I posted them I found the > answers right there in the documentation. Right there! I swear I had > already looked twice. > > Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus