Next message: OpenMacNews: "Re: on a similar note: enabling CRAM-MD5 auth for postfix+cyrus-imap+auxprop+mysql w/ encrypted passwords?"
OpenMacNews wrote:
> hi howard,
>
>>> (1) what needs to change in Cyrus in order to enable secret-based
>>> auth using encrypted pwds?
>>
>>
>> First reaction - it can't be done.
>
>
> well, ok. but, WHAT can't be done? secret-based authentication using
> encrypted pwds? or the Cyrus-end of the equation? I'd guess it's the
> latter, cuz the former certainly is doable on 'other' systems.
Shared-secret authentication such as DIGEST-MD5 using crypt()-encrypted
passwords or any other one-way encryption method is not possible. You
could define a new mechanism that used these one-way-encrypted passwords
as input, but then the encrypted passwords would be
plaintext-equivalent, and nothing is gained.
> so, are you suggesting that Cyrus is fundamentally flawed, or
> architected in a way that will _prevent_ such usage and function?
It's nothing to do with the design of Cyrus, it's all about how the
shared secret authentication methods work.
>>> given what i've read online, storing NOTHING in plaintext is a farily
>>> common policy, and use of mysql in this scenario is broadening ... so
>>> i'd propose that it's not unreasonable that others would like to see
>>> such a solution as well.
>>> (3) what will it take to get such support built directly into Cyrus?
>> In practice it could be done using a reversible encryption algorithm,
>> but that would also require that the encryption key be accessible to
>> the SASL library. In general this is viewed as a non-solution - if the
>> system's storage can be hacked to get to the data, then one can also
>> get to the key, and so having the secrets encrypted in the first place
>> is no more secure than leaving them plaintext.
> so how would a commercial system like, say CommuniGatePro, be managing
> it? i've a server up right now that enables CRAM-MD5 client access over
> TLS. and, AFAIK, the passwords are encrypted in their local stores ...
>
> now, i _do_ recognize that they're NOT using sasl and/or mysql, and that
> that may be the 'kicker' here.
>
> and/or, perhaps they are vulnerable to the hack you suggest?
I have never examined CommuniGatePro, but my previous statement is a
mathematical reality.
--
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support
