On Sunday 14 September 2003 16:23, Oded Arbel wrote:
> As I understand, this is only required so that the authentication agent (be
it
> sasl, pam or whatever) can encode the password in MD5. is it possible to
> store the password on the server already encoded in MD5 ? that would be the
> best solution IMO.
Nope, the password is used as a common secret between the server and the
client and it used for signing in the challenge response stage of the
mechanisms, but CRAM-MD5 let you store a KEYED-MD5 inserted of the clear
text. Both systems involves a separate user/password DB, the MD5 hashes
stored in your MYSQL can't be used for it.
>From the MD5-DIGEST RFC:
"There are two important security consequences of this. First the
password file must be protected as if it contained plain text
passwords, because for the purpose of accessing documents in its
realm, it effectively does."
>From the CRAM-MD5 RFC:
" While the saving, on the server, of the MD5 "context" is marginally
better than saving the shared secrets in clear-text, it is not suf-
ficient to protect the secrets if the server itself is compromised."
For more info:
http://www.ietf.org/internet-drafts/draft-ietf-sasl-rfc2831bis-02.txt
http://www.ietf.org/internet-drafts/draft-ietf-sasl-crammd5-00.txt
http://www.openldap.org/doc/admin21/sasl.html#DIGEST-MD5
> Yes, but I want also to be able to support MD5 based auth for people who
> can't/won't use SSL/TLS.
With the wide support for SSL in almost all the major clients, it should not
be a problem, you can also use a web-mail solution with https to solve the
problem for people who can't configure the E-mail client.
Bye
Gal
=================================================================
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]
