From owner-freebsd-hackers Sat Jun 22 15:43:36 2002 Delivered-To: freebsd-hackers@freebsd.org Received: from hawk.mail.pas.earthlink.net (hawk.mail.pas.earthlink.net [207.217.120.22]) by hub.freebsd.org (Postfix) with ESMTP id 7413537B400 for ; Sat, 22 Jun 2002 15:43:26 -0700 (PDT) Received: from pool0523.cvx21-bradley.dialup.earthlink.net ([209.179.194.13] helo=mindspring.com) by hawk.mail.pas.earthlink.net with esmtp (Exim 3.33 #2) id 17Ltb9-00050Z-00; Sat, 22 Jun 2002 15:43:16 -0700 Message-ID: <3D14FD5D.3BBA407@mindspring.com> Date: Sat, 22 Jun 2002 15:42:37 -0700 From: Terry Lambert X-Mailer: Mozilla 4.7 [en]C-CCK-MCD {Sony} (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Lyndon Nerenberg Cc: freebsd-hackers@FreeBSD.ORG Subject: Re: Cyrus vs. UW IMAP (was: Re: I Volunteer) References: <200206221729.g5MHTeJZ082215@orthanc.ab.ca> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Lyndon Nerenberg wrote: > Terry> Personally, I think SASL should have specified that you > Terry> crypt(3) the passwords, and then use the resulting hash as > Terry> the password value for the shared secret on both ends. At > Terry> least that way, you would not have to pass cleartext to use > Terry> the UNIX account database. > > The problem with this is that if you serve up your password database via > NIS an attacker can grab the crypt()ed password and use it to perform a > forged authentication. I understand this. Which is why you don't use NIS, or at least do not make it externally accessible. The exchange would have to include the salt, anyway, or the client couldn't crypt the value to the correct hash. The point is really to allow all the SASL methods to be used by a client, when all the server has is a UNIX password database. Even you've got to admit that storing crypted passwords on the server is better than permitting unprivilged applications access to the plaintext passwords. 8-). > Note that in the next revision of the IMAP4 spec STARTTLS will > be mandatory to implement. Yeah, this is incredibly bogus. The proper way of handling this is SSL. It's very easy to man-in-the-middle a session that starts out unencrypted when a STARTTLS goes by for SMTP; it is just as easy for anything else that uses that rather bogus method. 8-(. -- TErry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message