Date: Sat, 22 Jun 2002 11:29:40 -0600 From: Lyndon Nerenberg <lyndon@orthanc.ab.ca> To: Terry Lambert <tlambert2@mindspring.com> Cc: freebsd-hackers@FreeBSD.ORG Subject: Re: Cyrus vs. UW IMAP (was: Re: I Volunteer) Message-ID: <200206221729.g5MHTeJZ082215@orthanc.ab.ca> In-Reply-To: Your message of "Sat, 22 Jun 2002 01:17:52 PDT." <3D1432B0.58F863B5@mindspring.com>
next in thread | previous in thread | raw e-mail | index | archive | help
>>>>> "Terry" == Terry Lambert <tlambert2@mindspring.com> writes:
Terry> Personally, I think SASL should have specified that you
Terry> crypt(3) the passwords, and then use the resulting hash as
Terry> the password value for the shared secret on both ends. At
Terry> least that way, you would not have to pass cleartext to use
Terry> the UNIX account database.
The problem with this is that if you serve up your password database via
NIS an attacker can grab the crypt()ed password and use it to perform a
forged authentication.
Note that in the next revision of the IMAP4 spec STARTTLS will
be mandatory to implement.
--lyndon
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200206221729.g5MHTeJZ082215>