Date: Sat, 22 Jun 2002 01:17:52 -0700 From: Terry Lambert <tlambert2@mindspring.com> To: Chris Dillon <cdillon@wolves.k12.mo.us> Cc: Lamont Granquist <lamont@scriptkiddie.org>, Jason Andresen <jandrese@mitre.org>, "Brandon D. Valentine" <bandix@geekpunk.net>, Darren Pilgrim <dmp@pantherdragon.org>, Evan Dower <evantd@hotmail.com>, freebsd-hackers@FreeBSD.ORG Subject: Re: Cyrus vs. UW IMAP (was: Re: I Volunteer) Message-ID: <3D1432B0.58F863B5@mindspring.com> References: <20020621235955.Y88554-100000@mail.wolves.k12.mo.us>
next in thread | previous in thread | raw e-mail | index | archive | help
Chris Dillon wrote: > > While I appreciate the positive support of Cyrus, I guess I need to > > point out that this approach only works if you are willing to send > > passwords over the wire in plaintext. > > Yes, but this is the case with any IMAP server and doesn't really have > anything to do with Cyrus in particular. Unlike other IMAP servers, > however, Cyrus supports SASL which offers plenty of non-plain-text > authentication options, unfortunately none of which work with a local > FreeBSD password database that I know of. There is always the option > to use SSL, which is my preference, but unfortunately neither SSL nor > SASL have widespread IMAP client support yet. SASL requires a shared secret, not a crypt(3) hash of a shared secret. That's why the passwords have to be stored plaintext on the mail server, and why, if you use the UNIX password database as the account database for Cyrus, you must pass the passwords over the wire in plaintext. Personally, I think SASL should have specified that you crypt(3) the passwords, and then use the resulting hash as the password value for the shared secret on both ends. At least that way, you would not have to pass cleartext to use the UNIX account database. This is a client problem. Or you could assign paswords to the client, so that the user sees the hashed value as their mail password, and the unhashed value as their shell account password. But in actuality, the issue is still a client issue (because clients don't hash shared secrets before using them in SASL exchanges). Pretty obvious, really. -- Terry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3D1432B0.58F863B5>