Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 22 Jun 2002 01:17:52 -0700
From:      Terry Lambert <tlambert2@mindspring.com>
To:        Chris Dillon <cdillon@wolves.k12.mo.us>
Cc:        Lamont Granquist <lamont@scriptkiddie.org>, Jason Andresen <jandrese@mitre.org>, "Brandon D. Valentine" <bandix@geekpunk.net>, Darren Pilgrim <dmp@pantherdragon.org>, Evan Dower <evantd@hotmail.com>, freebsd-hackers@FreeBSD.ORG
Subject:   Re: Cyrus vs. UW IMAP (was: Re: I Volunteer)
Message-ID:  <3D1432B0.58F863B5@mindspring.com>
References:  <20020621235955.Y88554-100000@mail.wolves.k12.mo.us>

next in thread | previous in thread | raw e-mail | index | archive | help
Chris Dillon wrote:
> > While I appreciate the positive support of Cyrus, I guess I need to
> > point out that this approach only works if you are willing to send
> > passwords over the wire in plaintext.
> 
> Yes, but this is the case with any IMAP server and doesn't really have
> anything to do with Cyrus in particular.  Unlike other IMAP servers,
> however, Cyrus supports SASL which offers plenty of non-plain-text
> authentication options, unfortunately none of which work with a local
> FreeBSD password database that I know of.  There is always the option
> to use SSL, which is my preference, but unfortunately neither SSL nor
> SASL have widespread IMAP client support yet.

SASL requires a shared secret, not a crypt(3) hash of a shared
secret.  That's why the passwords have to be stored plaintext
on the mail server, and why, if you use the UNIX password database
as the account database for Cyrus, you must pass the passwords
over the wire in plaintext.

Personally, I think SASL should have specified that you crypt(3)
the passwords, and then use the resulting hash as the password
value for the shared secret on both ends.  At least that way,
you would not have to pass cleartext to use the UNIX account
database.

This is a client problem.  Or you could assign paswords to the
client, so that the user sees the hashed value as their mail
password, and the unhashed value as their shell account password.
But in actuality, the issue is still a client issue (because
clients don't hash shared secrets before using them in SASL
exchanges).

Pretty obvious, really.

-- Terry

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3D1432B0.58F863B5>