Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 22 Jun 2002 15:42:37 -0700
From:      Terry Lambert <tlambert2@mindspring.com>
To:        Lyndon Nerenberg <lyndon@orthanc.ab.ca>
Cc:        freebsd-hackers@FreeBSD.ORG
Subject:   Re: Cyrus vs. UW IMAP (was: Re: I Volunteer)
Message-ID:  <3D14FD5D.3BBA407@mindspring.com>
References:  <200206221729.g5MHTeJZ082215@orthanc.ab.ca>

next in thread | previous in thread | raw e-mail | index | archive | help
Lyndon Nerenberg wrote:
>     Terry> Personally, I think SASL should have specified that you
>     Terry> crypt(3) the passwords, and then use the resulting hash as
>     Terry> the password value for the shared secret on both ends.  At
>     Terry> least that way, you would not have to pass cleartext to use
>     Terry> the UNIX account database.
> 
> The problem with this is that if you serve up your password database via
> NIS an attacker can grab the crypt()ed password and use it to perform a
> forged authentication.

I understand this.  Which is why you don't use NIS, or at least
do not make it externally accessible.  The exchange would have to
include the salt, anyway, or the client couldn't crypt the value
to the correct hash.

The point is really to allow all the SASL methods to be used by a
client, when all the server has is a UNIX password database.

Even you've got to admit that storing crypted passwords on the
server is better than permitting unprivilged applications access
to the plaintext passwords.  8-).


> Note that in the next revision of the IMAP4 spec STARTTLS will
> be mandatory to implement.

Yeah, this is incredibly bogus.  The proper way of handling this
is SSL.  It's very easy to man-in-the-middle a session that
starts out unencrypted when a STARTTLS goes by for SMTP; it is
just as easy for anything else that uses that rather bogus method.
8-(.

-- TErry

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3D14FD5D.3BBA407>