MD5 Passwords in MySql?
In my /etc/imapd.conf I'm using: sasl_auxprop_plugin:sql sasl_sql_engine:mysql I want to store MD5 hashed passwords in my database. Is this possible? I was thinking about modifying the sql plugin to MD5 the password before comparison, but... I'm no C programmer so understanding sql.c (the plugin source) is quite beyond me. It looks as though we just check for the presence of the password and don't actual compare passwords! Surely I'm wrong here? I could use a symmetric encryption, eg AES, and place the necessary decrypt in the sasl_sql_select statement, but that seems a bit pointless since the key is now visible in various logs. Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: MD5 Passwords in MySql?
On Sun, 2013-03-24 at 14:21 +, Charles Bradshaw wrote: In my /etc/imapd.conf I'm using: sasl_auxprop_plugin:sql sasl_sql_engine:mysql I want to store MD5 hashed passwords in my database. Is this possible? I would *assume* that the database doesn't much care about the hashing/encoding of the password/secret - I'd *assume* it just stores and retrieves it. Concerns for the validity of the secret are up-the-stack, is SASL proper, and not in the storage plugin. I could be wrong; I've mostly dealt with storing credentials in LDAP. I was thinking about modifying the sql plugin to MD5 the password before comparison, but... That seems wrong to me. Can't you just tell SASL via configuration that you want to use MD5? I'm no C programmer so understanding sql.c (the plugin source) is quite beyond me. It looks as though we just check for the presence of the password and don't actual compare passwords! Surely I'm wrong here? That is what I would *assume* it does. And correctly. I could use a symmetric encryption, eg AES, and place the necessary decrypt in the sasl_sql_select statement, but that seems a bit pointless since the key is now visible in various logs. That seems very wrong to me. I wonder why you care are credentials are stored; is SASL authentication not working? Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: MD5 Passwords in MySql?
Adam Gently... This question has be asked before, but remains unanswered. I am using sendmail and cyrus-imapd, not PostFix or LDAP for which the MD5 password in mysql problem appears to have solved. On Sun, 2013-03-24 at 14:12 -0400, Adam Tauno Williams wrote: On Sun, 2013-03-24 at 14:21 +, Charles Bradshaw wrote: In my /etc/imapd.conf I'm using: sasl_auxprop_plugin:sql sasl_sql_engine:mysql I want to store MD5 hashed passwords in my database. Is this possible? I would *assume* that the database doesn't much care about the hashing/encoding of the password/secret - I'd *assume* it just stores and retrieves it. The database might not care, but something does. The question is what? Or even how to configure cyrus to use MD5 hashed passwords with the sql plugin. Because I'm dealing with virtual domains, passwords are stored ONLY in the database. My users have no accounts or passwords stored elsewhere. Concerns for the validity of the secret are up-the-stack, is SASL proper, and not in the storage plugin. OK, specifically, where up the stack is the password checked? I could be wrong; I've mostly dealt with storing credentials in LDAP. LDAP is a whole other can of worms and not appropriate to my circumstances. I was thinking about modifying the sql plugin to MD5 the password before comparison, but... That seems wrong to me. Can't you just tell SASL via configuration that you want to use MD5? Obviously I can't! I wouldn't have asked the question otherwise. Answering a question with the same question is absurd. I'm no C programmer so understanding sql.c (the plugin source) is quite beyond me. It looks as though we just check for the presence of the password and don't actual compare passwords! Surely I'm wrong here? That is what I would *assume* it does. And correctly. So where is the password compared? I could use a symmetric encryption, eg AES, and place the necessary decrypt in the sasl_sql_select statement, but that seems a bit pointless since the key is now visible in various logs. That seems very wrong to me. It might be a kludge, but it's not wrong. It avoids storing plain text passwords, which are always a risk. The purpose of MD5 digest is to make passwords truly private to the user. Not even root knows users passwords when stored in shadow(MD5). The only risk to shadow passwords is a brute force attack which is relatively easy to detect and foil. I wonder why you care are credentials are stored; is SASL authentication not working? No, I have authentication working fine. I care because mysql is the mechanism I prefer. Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: MD5 Passwords in MySql?
On 25/03/2013, at 7:33, Charles Bradshaw b...@bradcan.homelinux.com wrote: That seems very wrong to me. It might be a kludge, but it's not wrong. It avoids storing plain text passwords, which are always a risk. The purpose of MD5 digest is to make passwords truly private to the user. Not even root knows users passwords when stored in shadow(MD5). The only risk to shadow passwords is a brute force attack which is relatively easy to detect and foil. FYI a single round of MD5 is considered quite weak these days. The whole point of hashing a password is to make it difficult to find a password if the password DB is leaked. MD5 is no longer sufficient for this (even with salt). A modern GPU can brute force billions of passwords per second and humans suck at generating them. -- Daniel O'Connor software and network engineer for Genesis Software - http://www.gsoft.com.au The nice thing about standards is that there are so many of them to choose from. -- Andrew Tanenbaum GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus