On 2005-09-22, at 1627, Erwin Hoffmann wrote:
At 18:12 22.09.2005 +0100, tonix (Antonio Nati) wrote:At 17.34 22/09/2005, you wrote:On Sep 22, 2005, at 1:42 AM, John Simpson wrote:if you're supporting AUTH, you really should use TLS as well. otherwise you're allowing your users to send their passwords across the internet in plain text- and all it takes is one spammer with a packet sniffer to use your machine as a relay.If you use CRAM-MD5 for the AUTH method, it's impossible to sniff the cleartext password.I don't bet on this. If you tape the SMTP dialoge, its easy to encrypt the password.
i'm sure many of us know this already, but for the benefit of people who may not understand how CRAM authentication works, here's the deal:
the server sends a "cookie"- a string of text which contains a certain amount of pseudo-random text. many servers end up sending a timestamp, a process id, and/or a few bytes of random from /dev/ random, /dev/urandom, or some other source of random.
the client takes that cookie, adds the password to the end of it, computes a hash of the result, and sends that has back to the server.
the server takes the same cookie, adds the real password to the end of it, computes a hash of that result, and compares it to the hash sent by the client. if the hashes match, then obvoiusly the client knows what the real password is, so it's okay to let them in. otherwise, the client doesn't have the right password and should not be allowed in.
the idea with CRAM is for the client to prove that it knows what the correct password is, without every actually sending the password over the wire.
if you already have a list of plain-text passwords on the server, CRAM is a very good idea. my only objection is to keeping a list of plain-text passwords on the server in the first place. it's not something i do, but for somebody who already has such a list it can be a good thing.
Greets from the hurrican free Germany. --eh.
and i'm in orlando- four hurricanes in a row last year, but luckily none so bad as the two which have hit louisiana this year...
-------------------------------------------------- | John M. Simpson - KG4ZOW - Programmer At Large | | http://www.jms1.net/ <[EMAIL PROTECTED]> | -------------------------------------------------- | Mac OS X proves that it's easier to make UNIX | | pretty than it is to make Windows secure. | --------------------------------------------------
PGP.sig
Description: This is a digitally signed message part
