Re: digest-md5 password store
Ken Murchison wrote: The SASLv1 library used to store a non-plaintext secret for use with DIGEST-MD5. In fact, it stored separate secrets for each mechanism. In SASLv2, it was decided to use a single plaintext secret. Part of this decision was based on the fact that the DIGEST-MD5 secret was tied to the servername/domain, which made the database non-portable. And I've complained about that decision ever since. I still maintain that it was a _terrible_ idea :-( As someone else said, it is possible to store an interim hash that is user and realm specific to avoid storing the plain text password. If you want portability, you just have to use the same realm on all servers in the same authentication group. _You_ get to choose the scope of validity for the stored secret. Sadly with cyrus-sasl v2 the maintainers have chosen for you, and they chose the entire known universe :-( -- Carson Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: digest-md5 password store
On Dec 5, 2007 9:42 PM, Guillermo Gómez [EMAIL PROTECTED] wrote: pam_mysql would correlate to saslauthd, and the cyrus sasl plugin would correlate to auxprop. See documentation on the SASL pwcheck_method setting (sasl_pwcheck_method in /etc/imapd.conf). When set to saslauthd, the pwcheck_method will allow the use of the PLAIN and LOGIN mechanisms, and will pass the username and password from the client on to PAM. PAM can internally hash the password and compare it against an already md5/crypted password. When set to auxprop, SASL will retrieve the cleartext password and use it to compare (in the case of PLAIN and LOGIN), or to use in multi-step negotiation of other mechanisms, such as DIGEST-MD5. The auxprop plugin gives you the ability to authenticate using the PLAIN, LOGIN, DIGEST-MD5, CRAM-MD5, NTLM and OTP mechs (and probably more). saslauthd only gives you the ability to authenticate using PLAIN and LOGIN (I believe), which may or may not be sufficient for you. - Dan Thanks Dan, im reading and trying to digest all the material available. What the customer wants is: 1.- md5-digest between imap client/server (squirrelmail/cyrus-imapd) 2.- md5 encrypted passwords stored in mysql db (cyrus-imap-??) encryption md5 hashing ! You can decrypt, you cannot unhash ! md5 encrypted has no meaning for me! The questions are : 1. If someone stole the secured information (aka the password) stored on your server, can he use it to authenticate to your server! This what md5 try to avoid 2. If someone sniff the authentication process, can it guess the password ? This what md5-digest try to avoid. If you want both security, you need to encrypt your authentication process and store password hash. Is this combination possible? Guillermo -- Ing.Guillermo Gomez S. http://fedora.gomix.org -- Alain Spineux aspineux gmail com May the sources be with you Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: digest-md5 password store
Guillermo Gómez wrote: pam_mysql would correlate to saslauthd, and the cyrus sasl plugin would correlate to auxprop. See documentation on the SASL pwcheck_method setting (sasl_pwcheck_method in /etc/imapd.conf). When set to saslauthd, the pwcheck_method will allow the use of the PLAIN and LOGIN mechanisms, and will pass the username and password from the client on to PAM. PAM can internally hash the password and compare it against an already md5/crypted password. When set to auxprop, SASL will retrieve the cleartext password and use it to compare (in the case of PLAIN and LOGIN), or to use in multi-step negotiation of other mechanisms, such as DIGEST-MD5. The auxprop plugin gives you the ability to authenticate using the PLAIN, LOGIN, DIGEST-MD5, CRAM-MD5, NTLM and OTP mechs (and probably more). saslauthd only gives you the ability to authenticate using PLAIN and LOGIN (I believe), which may or may not be sufficient for you. - Dan Thanks Dan, im reading and trying to digest all the material available. What the customer wants is: 1.- md5-digest between imap client/server (squirrelmail/cyrus-imapd) 2.- md5 encrypted passwords stored in mysql db (cyrus-imap-??) Is this combination possible? The SASLv1 library used to store a non-plaintext secret for use with DIGEST-MD5. In fact, it stored separate secrets for each mechanism. In SASLv2, it was decided to use a single plaintext secret. Part of this decision was based on the fact that the DIGEST-MD5 secret was tied to the servername/domain, which made the database non-portable. -- Kenneth Murchison Systems Programmer Project Cyrus Developer/Maintainer Carnegie Mellon University Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: digest-md5 password store
On Dec 5, 2007 9:52 AM, Guillermo Gómez [EMAIL PROTECTED] wrote: afaik the digest-md5 occurs between cyrus and the imap client (AUTHENTICATE command) so my doubt is about the user db and password store. Is the password stored in plain text? (mysql auth like http://www.delouw.ch/linux/Postfix-Cyrus-Web-cyradm-HOWTO/html/cyrus-config.html ) digest methods require to know the original password on both side, not simply a hash on one side like PLAIN or LOGIN. Regards kind regards -- Ing.Guillermo Gomez S. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html -- Alain Spineux aspineux gmail com May the sources be with you Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: digest-md5 password store
On Dec 5, 2007 9:52 AM, Guillermo Gómez [EMAIL PROTECTED] wrote: afaik the digest-md5 occurs between cyrus and the imap client (AUTHENTICATE command) so my doubt is about the user db and password store. Is the password stored in plain text? (mysql auth like http://www.delouw.ch/linux/Postfix-Cyrus-Web-cyradm-HOWTO/html/cyrus-config.html ) digest methods require to know the original password on both side, not simply a hash on one side like PLAIN or LOGIN. Thanks,ç :) Ive been looking on how to work cyrus imap with mysql and found two options: cyrus pam with pam_mysql cyrus sasl sql plugin In the first one it look like the store can have the password encrypted MD5 The second one needs the passwords in the clear in the db customer says they have a mysql db with md5 passwords in it. Im still confused on how this should work, can anyone please give me some insights on this regard Regards kind regards -- Ing.Guillermo Gomez S. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html -- Alain Spineux aspineux gmail com May the sources be with you -- Ing.Guillermo Gomez S. http://fedora.gomix.org Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: digest-md5 password store
Guillermo Gómez wrote: Ive been looking on how to work cyrus imap with mysql and found two options: cyrus pam with pam_mysql cyrus sasl sql plugin In the first one it look like the store can have the password encrypted MD5 The second one needs the passwords in the clear in the db customer says they have a mysql db with md5 passwords in it. Im still confused on how this should work, can anyone please give me some insights on this regard pam_mysql would correlate to saslauthd, and the cyrus sasl plugin would correlate to auxprop. See documentation on the SASL pwcheck_method setting (sasl_pwcheck_method in /etc/imapd.conf). When set to saslauthd, the pwcheck_method will allow the use of the PLAIN and LOGIN mechanisms, and will pass the username and password from the client on to PAM. PAM can internally hash the password and compare it against an already md5/crypted password. When set to auxprop, SASL will retrieve the cleartext password and use it to compare (in the case of PLAIN and LOGIN), or to use in multi-step negotiation of other mechanisms, such as DIGEST-MD5. The auxprop plugin gives you the ability to authenticate using the PLAIN, LOGIN, DIGEST-MD5, CRAM-MD5, NTLM and OTP mechs (and probably more). saslauthd only gives you the ability to authenticate using PLAIN and LOGIN (I believe), which may or may not be sufficient for you. - Dan Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: digest-md5 password store
pam_mysql would correlate to saslauthd, and the cyrus sasl plugin would correlate to auxprop. See documentation on the SASL pwcheck_method setting (sasl_pwcheck_method in /etc/imapd.conf). When set to saslauthd, the pwcheck_method will allow the use of the PLAIN and LOGIN mechanisms, and will pass the username and password from the client on to PAM. PAM can internally hash the password and compare it against an already md5/crypted password. When set to auxprop, SASL will retrieve the cleartext password and use it to compare (in the case of PLAIN and LOGIN), or to use in multi-step negotiation of other mechanisms, such as DIGEST-MD5. The auxprop plugin gives you the ability to authenticate using the PLAIN, LOGIN, DIGEST-MD5, CRAM-MD5, NTLM and OTP mechs (and probably more). saslauthd only gives you the ability to authenticate using PLAIN and LOGIN (I believe), which may or may not be sufficient for you. - Dan Thanks Dan, im reading and trying to digest all the material available. What the customer wants is: 1.- md5-digest between imap client/server (squirrelmail/cyrus-imapd) 2.- md5 encrypted passwords stored in mysql db (cyrus-imap-??) Is this combination possible? Guillermo -- Ing.Guillermo Gomez S. http://fedora.gomix.org Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: digest-md5 password store
Guillermo Gómez wrote: Thanks Dan, im reading and trying to digest all the material available. What the customer wants is: 1.- md5-digest between imap client/server (squirrelmail/cyrus-imapd) 2.- md5 encrypted passwords stored in mysql db (cyrus-imap-??) Is this combination possible? I've seen mention of a way to store md5 hashes for use with DIGEST-MD5, but I believe it has to be the md5 of 'user:realm:password'. See RFC 2831, section 3.9. - Dan Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html