John Peacock wrote:
> There is an interesting hack in Dovecot that I was thinking of copying
> for Qpsmtpd: a pasword scheme definition that includes the local (to
> the server) encryption used. For example, {CRYPT}password would mean
> that the plaintext password passed in (while TLS was in force) would be
> crypt()'d and then compared with what is in the user database (ex.), see
>
> http://wiki.dovecot.org/Authentication
>
> for details.
>
> This allows the plaintext password to be passed from the client inside a
> TLS wrapper, and yet be encrypted on disk at all times. This is far
> more secure than any of the challenge methods, which require storing the
> plaintext password on the server...
Yes - I use Dovecot SASL on a couple of systems with back-end password
databases that contain encrypted password hashes created using dovecotpw.
I use Postfix -> Dovecot SASL -> Password-file on a mail relay host for
example. In its simplest form the password file looks something like:
james:{HMAC-MD5}6c431bcaeab7basdfgq4534tdfbvsdfgdaa2ba23357c7
But from memory you can also specify additional fields to be retrieved.
It's a good idea for a potential feature - though you do need to also
distribute some way for people to securely hash their passwords.
Regards
James Turnbull
--
James Turnbull <[EMAIL PROTECTED]>
---
Author of Pro Nagios 2.0
(http://www.amazon.com/gp/product/1590596099/)
Hardening Linux
(http://www.amazon.com/gp/product/1590594444/)
---
PGP Key (http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x0C42DF40)
signature.asc
Description: OpenPGP digital signature
