From: Simon White (simonmtds.com)
Date: Tue Mar 04 2003 - 04:06:57 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

03-Mar-03 at 14:19, foilmothra.dyndns.org (foilmothra.dyndns.org) wrote :
> Hello,
>
> I've been wrestling with SASL, Debian and postfix for a while now, and
> I think I've finally gotten it. The key problem was that after
> reading a particular news:mailing.postfix.users entry, it appears that
> the CRAM-MD5 driver that's in the sasl library always authenticates
> against sasldb, even if the sasl library is configured to authenticate
> against PAM or whatever.
>
> I've found that this is true. It causes major problems though since a
> number of clients (particularly Eudora) always use CRAM-MD5 if it's
> available.

CRAM-MD5 relies on having a plain-text password to create the
challenge. If you use an authentication method where your password is in
shadow, or crypt-password in MySQL, then it stands to reason that
CRAM-MD5 won't work.

Since PAM is unlikely to provide plain-text passwords, then maybe the
default for SASL+CRAM-MD5 is saslb, and you'd have to compile it
differently to play the game with, say, MySQL with plaintext
passwords...?

Thinking about this, I went to check the SASL documentation

"Shared secrets mechanisms
              
   The Cyrus SASL library also supports some "shared secret"
authentication methods: CRAM-MD5 and its successor DIGEST-MD5. These
methods rely on the client and the server sharing a "secret", usually a
password. The server generates a challenge and the client a response
proving that it knows the shared secret. This is much more secure than
simply sending the secret over the wire proving that the client knows
it.

   There's a downside: in order to verify such responses, the server
must keep passwords or password equivalents in a database; if this
database is compromised, it is the same as if all the passwords for the
realm are compromised.
   
   For simplicity sake, the Cyrus SASL library stores plaintext
passwords only in the /etc/sasldb2 database. These passwords are then
shared among all mechanisms which choose to use it. Depending on the
exact database method used (gdbm, ndbm, or db) the file may have
different suffixes or may even have two different files ("sasldb.dir"
and "sasldb.pag"). It is also possible for a server to define it's own
way of storing authentication secrets. Currently, no application is
known to do this."

My reading of this is that you're right: no way of plugging some
authentication DB into SASL for CRAM-MD5...

Regards,

--
[-------Fog in Rabat, 11°C/52°F. Wind: E strength 2. Humidity: 100%------]
Neutron stars are almost unimaginably dense: a teaspoon of neutron star
material weighs a billion tons (1.016 billion tonnes).
[Linux user 170823|XML Weather:www.interceptvector.com|.sig:vim/mutt/perl]

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]