On Fri, 10 Dec 2004 19:28:32 +0000, Pedro Pais <[EMAIL PROTECTED]> wrote:
> On Thu, 9 Dec 2004 21:39:22 -0800, Tom Collins <[EMAIL PROTECTED]> wrote:
> > On Dec 9, 2004, at 3:20 PM, Pedro Pais wrote:
> > >> Also, I'm fairly certain that CRAM-MD5 requires that you have
> > >> clear-text
> > >> passwords enabled. I still need to look at my pop and smtp servers
> > >> to see
> > >> how I can make them not advertise something that's not available on my
> > >> system...
> > >
> > > Really? That doesn't sound too secure, or even ethical.
> > CRAM-MD5 is more secure because someone sniffing the network can't
> > derive the sender's password. With all other SMTP AUTH methods, you
> > can easily decode sniffed packets to get the email address and
> > password. The only way for CRAM-MD5 to work is for the server to know
> > the user's cleartext password.
> > Granted, you need to make sure the cleartext password is stored
> > securely...
> But why isn't the password stored in the passwd/mysql using CRAM-MD5
> format? That way you could always check it. It wouldn't matter if the
> client authenticated using plain or using CRAM-MD5. You could even
> double cypher the password using mysql PASSWORD().
> a) Client authenticates using plain username/password Create CRAM-MD5
> from those tokens and check with the password stored.
> b) Client authenticates usign CRAM-MD5 username/password. Directly
> compare with the stored password.
> Am I missing something important in here?
Maybe I'm over-simplifying things a bit, right? I'm skimming the RFC
and the process of creation of the CRAM-MD5 authentication token
doesn't seem to be very straight-forward...
> > --
> > Tom Collins - [EMAIL PROTECTED]
> > QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/
> > Info on the Sniffter hand-held Network Tester: http://sniffter.com/
> Pedro Pais
> Skype name: pedro.pais
> MSN: [EMAIL PROTECTED]
> Get Firefox!
Skype name: pedro.pais
MSN: [EMAIL PROTECTED]