* Jared Seipel <[EMAIL PROTECTED]> [2004-02-27 18:46]:
> Anyway, this did the trick, beside the fact that the CRAM-MD5
> authenticates against the clear text password and the particular client
> that is asking for this has requested clear passwords disabled.  Oh Well.

This is a technical problem. You cannot have CRAM-MD5 without clear
passwords. Impossible. Tell your customer to read the specs.


In CRAM-MD5 the server sends the client a token for authentication. Both

HMAC = MD5 (( password XOR opad ), MD5 (( password XOR ipad ), token))

and compare the results. How should the server calculate the HMAC
without knowing the password?


> Thanks a lot for the help!

You are welcome.

Alex Pleiner
zeitform Internet Dienste         Fraunhoferstrasse 5
                                  64283 Darmstadt, Germany
http://www.zeitform.de            Tel.: +49 (0)6151 155-635
mailto:[EMAIL PROTECTED]        Fax:  +49 (0)6151 155-634
GnuPG/PGP Key-ID: 0x613C21EA

Reply via email to