45181 2004-03-19 18:25 0000 dev-libs/cyrus-sasl: Add crypted password support for Auxprop SQL plugin 2005-11-08 08:28:26 0000 1 1 1 Unclassified Gentoo Linux Applications unspecified All Linux CLOSED WONTFIX http://frost.ath.cx/software/cyrus-sasl-patches/ P2 enhancement --- 1 me@alessandrorossini.org net-mail@gentoo.org darren@shelbrook.com heretic@clanhk.org steeeeeveee@gmx.net winckler@campogeral.com.br me@alessandrorossini.org 2004-03-19 18:25:20 0000 Current Cyrus-SASL lacks of crypted password support for Auxprop SQL plugin, it only support clear password. This feature is useful when we want to make an authenticated SMTP server using an SQL server for the user accounts. My new ebuild include a patch for this feature. I've tested it with versions 2.1.17 and 2.1.18. More informations are available in the URL. Reproducible: Always Steps to Reproduce: Actual Results: Expected Results: me@alessandrorossini.org 2004-03-19 18:28:54 0000 Created an attachment (id=27667) My new ebuild and crypted password patch max@gentoo.org 2004-04-01 09:11:35 0000 Please post each file as text/plain individually as specified in the bug-posting howto. I haven't had a chance to look at this yet, but I have some questions first. This sounds like it will prevent APOP, CRAM-MD5 and DIGEST-MD5 mechanisms from working as those need access to the plaintext password. Is this true? Aside from this, the way I store encrypted passwords in the database is using mysql's ENCODE() function. This allows you two way encryption such that the password is stored encrypted in the database, but can be decoded when authenticating. To do this, add another field to your users table of type TEXT. To add a user, this field would be set as something like: INSERT INTO users (user_login, sasl_passwd) VALUES ('login', ENCODE('plaintext', 'secretsalt')) Or if you're using saslpasswd2 to manage your user passwords, add this to your /etc/sasl2/saslpasswd.conf: sql_insert: INSERT INTO users (user_login, sasl_passwd) VALUES ('%u', ENCODE('%v', 'secretsalt')) sql_update: UPDATE users SET sasl_passwd = ENCODE('%v', 'secretsalt') WHERE user_login = '%u' Then in all the services you'd configure the following in the .conf files: sql_select: SELECT DECODE(sasl_passwd, 'secretsalt') FROM users WHERE user_login = '%u' Where 'secretsalt' is something you come up with for encoding/decoding the password field and (obviously) keep a secret. This setup has the added benefit of allowing APOP, {CRAM,DIGEST}-MD5 mechanisms and no extra patches needed for the sasl package. langthang@gentoo.org 2004-07-18 22:12:52 0000 Since upstream do not want to add this patch themself, I am sure we don't want to support it either. Upstream ML discussion about this patch here: http://www.viperstrike.com/~lopaka/sysadmin/cyrus-sasl-mysql-encrypt/software-sources/patch langthang@gentoo.org 2004-08-01 14:14:10 0000 *** Bug 58622 has been marked as a duplicate of this bug. *** langthang@gentoo.org 2004-08-01 14:15:32 0000 *** Bug 51320 has been marked as a duplicate of this bug. *** langthang@gentoo.org 2004-11-17 10:15:13 0000 *** Bug 71567 has been marked as a duplicate of this bug. *** langthang@gentoo.org 2004-11-17 10:17:25 0000 the reference in comment #3 is wrong. This is the one: http://asg.web.cmu.edu/archive/message.php?mailbox=archive.cyrus-sasl&msg=5683 langthang@gentoo.org 2005-01-02 11:36:33 0000 *** Bug 76390 has been marked as a duplicate of this bug. *** ferdy@gentoo.org 2005-02-15 11:43:07 0000 Added in cyrus-sasl-2.1.20-r2. Just commited to CVS. Cheers, Ferdy klgalway@gmail.com 2005-10-27 14:34:57 0000 There is a spelling error in the ebuild: # Sypport for crypted passwords. Bug #45181 Secondly, if crypted password support is going to be added and seeing as there is already support for mysql, then I think that the http://frost.ath.cx/software/cyrus-sasl-patches/dist/2.1.19/cyrus-sasl-2.1.19-checkpw.c+sql.c.patch should be an option for building. I have tested that this works on my system with cyrus-sasl-2.1.21-r1.ebuild and mysql version 4.1.14 ferdy@gentoo.org 2005-11-06 03:48:00 0000 Typo fixed in 2.1.21-r1. As for the mysql patch, I'd rather not include more patches. This should *really* be pushed upstream. If they don't include them, normally we don't. Thanks, Ferdy klgalway@gmail.com 2005-11-08 08:00:02 0000 (In reply to comment #11) > Typo fixed in 2.1.21-r1. > > As for the mysql patch, I'd rather not include more patches. This should > *really* be pushed upstream. If they don't include them, normally we don't. > > Thanks, > Ferdy *shrug* I disagree as I feel that it would be helping to make things more secure seeing how sending passwords in cleartext is just stupid. klgalway@gmail.com 2005-11-08 08:28:26 0000 (In reply to comment #11) > Typo fixed in 2.1.21-r1. > > As for the mysql patch, I'd rather not include more patches. This should > *really* be pushed upstream. If they don't include them, normally we don't. > > Thanks, > Ferdy *shrug* I disagree as I feel that it would be helping to make things more secure seeing how sending passwords in cleartext is just stupid.(In reply to comment #12) > (In reply to comment #11) > > Typo fixed in 2.1.21-r1. > > > > As for the mysql patch, I'd rather not include more patches. This should > > *really* be pushed upstream. If they don't include them, normally we don't. > > > > Thanks, > > Ferdy > > *shrug* I disagree as I feel that it would be helping to make things more secure > seeing how sending passwords in cleartext is just stupid. After finding the ML discussion mentioned previously in this bug report, I withdraw my request and comment regarding security. I am in agreement with Ferdy that the cyrus-sasl maintainers should deal with this instead of us patching the code to death anymore than it already is. 27667 2004-03-19 18:28 0000 My new ebuild and crypted password patch cyrus-sasl-2.1.18.ebuild.tar.bz2 application/x-tbz QlpoOTFBWSZTWTSHWCoAC+z/hPzwAgB9///7/////v////8AAQAIYBCOB3Y+vOjdrvXvT223pmvS 1e8eAFtoV3MGgVbdaAAoAdDogkimiaaANCZqYhppqn6MphJ6nphJ5R6nqY1Gmj1DaTRpieTRBoIA gaTSmmmIxNG0hiNGIMIAA0yAGgAAyBFNo1SeCCemk00NGCGQNNAaAAAAAAASakgp6mQMJT1PSemJ pNqfqQDRkANNAA0GgaDQAHAA0BoGgAaaZAAaNMgA0ZMEBiAABIkEBNMgJpo0TTTJNHpTYqPU9JmU AM1NNGmINDEZNH0+Kbs9WHEZPcrNJADU0gFbSZWg2pSKCQ6yop5egu1VUxmIxCGUZAokBgFhCVVW hDrFHPIBZmcCqFFYwoqlFolFMWNVS3VKIsaWpVVCqWqiKFCSpYIgWZaMqiiwfj9XgLGUvkqY1ilp Igwjaw0WBtUKBCKigttqN1VcjLpctQtUV/w+ght+BXh5q2iGWOnd2YmCM8bL8M15en9pjnQuzMon te6QbZ+CCyYAX7RcjB6Bdyt5xAtSaG7Bu1RkXouWg6ShOvsWozlfFEzcm2Zim2yEDQwUL8UxSucj 2C2SxfgXS8tMuGYjLgeWhaosUxsenKq/oNNw4S1DfMjrxlxgmAK3xVsmKoKFqq5aGlDk7bVuxo8o 15VrwMdQ55Y0dFp0336nNYN+1fdldgY6V4y7PFpjGHZ4S5LWgSKGaYoBH7EwFAtJrGIkRQSLpqoC isqr+rdKsMGKTsRqJOyhDG1Bq+GXHUIt4L98acznsXvhrjs4V18KRy6Y5lrp3Ze6g0GWOqEnQmnW sAyvelzAXnEcNvLTU6CYaMSjux1Qa3lhnPol6zcgfIzz1EsoBDLa3zyJ9trDYZbqK9PVDRWGKdvF EeuP0m1mWPdq+ImR5ApvN3ZiWDNguyVL+DJFRyBTOuzW3A7cCPzdaLD7ttAUjOh03ILZs3PPdtqV gn3zjyY3s/pGRs2qDnSyi9j2cGyVxg+VetvyLntZ2LaqWqrNwbNHJd2bsJNOVSoj2eTp2drXo7c6 YPynrF6qYn0n7Bto4LzzWP4NGHurBtBl5u3by71TswKW61AuZtaE1/c4ol42TWrM9ERsNXCzLxQn fffJZKt61mxqqEvb67dXhcR3AdnrypQsMIc9Nk6BMbiXl0sJqbFsw3lIyo/tG3Qbu75nmxuT9oQ3 roTYtlkGuN2ZgA9bYRQMujGLgXjVlC3hzRqPMuAqpR6cSIuuYzfX0K5yCDxr4aMDy8EOajYLSVZ2 VPYywsMLTYcW6RlR0u6Sk4PcDCni2RfZNl5xBigsBRdevcO7oM/ej2tHGbMPMeCdJpiX7RP9UjsU ZYPi3jEyNMxLSZ6cfhNNQWpJ+qSJSt3OrkG49/SHonHUCoiE+fw8xqul4oLGJE8jGf8lJLvNjJ1g BTQy5CefJC6QzsE75UWd46/CS971j8vCEk/ftCRw4DhT+RSgM8aEiLSZNDGSNPGVToK33Fklgbay +28o3scx+EJqUjPYsWSuqS6ae/FmfJTl235h5EJO6lxAuZDmZDoCQDoGIohDCWWx6GUscqrd7qxT cbrSRew+J8SjxsKFRt4jL5tbHBzq6erlqY4VNRCXOG69CwMbrDBscLRKiJLTl5zXSVNABAbdPGeg /dGRjBwmAhQ0vi2H20sYIjJ1qxR33etVcakA3hGVkqcfjmcjutc4Mmo9Y6y7kA4Etmd3yQdsMUG+ 2p97TuGOX0T3Z7B8zPhxle/ibMLb1cjG3HN5Ls/RjgCMu+QktZv+HkQz4QobBg20eEjQ++bPV2Gl Plw1FDxo5nGem4LIPv/ZmH4SoY177a6oMeYoxsVI6UyyaIKIEIgDKRpCwWPmIblGCrDVzt84uODB fOl5nLNZT6C0F0QNWlBfvg/4+eqqrxjGHOsLpODKq8IAAXVC2/3PkKETaVaNQrG84Y1tWGk6DPFU 6RRgy941BQMIVt5Sg6CLK+H8VJS6o8JBWCH9T7B7vfkBR0KosLwm8s8JdUTzMrah8YmORykQzf1U /pDnkXvbXUbom1iu5DSEMaP+WYM4zay5iJXaDJgqSuuaWJdGcoTNxMbFqtjv07hDpoawRqU6t+44 6ypWV2GSykBOBJp8mKlKMXKyjAJq8y8oMTGLG3mV2sfk7mtlZOjTTv2dAJeY0c1MwJGZW8u1Tfpo rudo4ZYpiJbsTyvNDUJr7z3qpHZmyUnFqthfffnPFyz0hGDCKKoH2U0TA0r7MJvf718vYxJ5smJq NNZI3f8TMJw50xnDtOLK21sHBDp9aJ7Zs33UEVkehDAf8jjSlBvjTUF30QkCCmEiIQZBLHIlLN6v n3L5KCISRge0hkSXfBxghDnrwBWITa/cvbnBr8xwlQ4WlxFC8CoYOqSmjvLRXSzA/6xOA9MT9NMA tBhtfFWXF1Fc1YBdgcw9HlaTuyA67zcAWKpslKBr7csEjfWDxe8N2xJdb7AMf4FldYFMMtH3dxzQ U0h/+mQpXHOkul97MPN07Q7wKV4r+fjIm228+8WrZEJBQ+J1cBKXBa2+n3G7Sc1Wcpk7Rj8K/7ML sjmbkF4zxMOFEzwSXMSodnreeOoSwCS/k7wyayaINli7eo0RNmxS66WJLjacdprXXwsANQajSYKS u+40Az5ecW8+tvjWhStxraQSQeWc8NS3tILO2UhLiJT+7wDkYfw8SIhDOqN4RrSwTTnHPabOSLza WIi0S6Z8nPUMVLN8CUI6+K4JViDBVJATss8FoADh2OsiQeeKMR0d0Kna9wsB69UsUFIiCPwV8luP jgMOog2hnkJfWRykqIGdUMgrx41Pm3+SPwIOIahTZAt3gumAzOcx2DBKSAU+TmSFUFGczRYffEUu p4Zv2hkkZrT8pLCWsxoaIvY26mnvPHYNpmst1n9ASRQkH1LVtC3VcyX51Qgpp/9mkrUkjNKVwE/y 1F825X5HMaZZX7MMlalsYRko76Bh1LcqHKZ8NSQlYCRXWCNZJEAwcbprbQpkTKUupxNmGgk47DMY 8CfwTOmCIG7Rg/lE9VVM+tPacMUQ6GLY3BAs4wVT8dVwPBI/VcX2wjF7CWAsIbjp4OBY4Qo4uyIc DGDkBDkyYhrDQOqqwJ9dIGeGciL4RjOoc5Y2tvaFzCamIwL5RvTdDSUb5mw8LOb1dvMYuP5QnFtW ad8bMUuhO/q1aGv1XANZEokGZkgIXbpAVIiZkkboMktGWx3JlKS8TA/PxOdSfB39BzKonxkSeDgm QsGE5nMTZKx1qKYzrHVBUP8TppgTE+BwCD0Q/vHBced3/a2mx78TGy08S54qUxly15KKLA8vZYGr gyFehthbuS4kRBSwl+bxkjkeh2IhGsss5c8Wy5v0eE7IKvrOGpJO9lYGgREEjpzd0GO17phZEKIk Ss1CXxYuJSxGQxQXH3QWLfCMOB6z6g1fVPswEotPtWoFsk/5uUwctrgtzRTsNZmdRqN3AaYSJc7u tVmHBe5QQikcCWetZFtgeiO1TOPsuf4iXuZfLpkFu03P3vkZq7cPhjtbs6ppqVVG7vFd2LnMiaBD 8HehpKzZCWTgGeQiPVWAmLqklFRS2m8MwNRkuQ0IsjKFIfyYlcHE0vVQoATPl+uEarcGA0iUCbCh SEGPl0INpCcBCmw2e6xszv2QZB2oRG36SsxNr0HKV1x7Diln3E7APPxEV2tBANKScOQ3gxBmXBOy hNQ5JUB8Sw5trbN92Y4dbc/SOQX9rqyByu2Hby54ZBnqcM7jyHAtLRSsquHRuBkAxgbzktCRIGtd D9R7+GYme0tJeluRxngGFDL14XLhr7H6lUhqUWTWla+VgdkytrVRoWmq12CuYaWi9LPcAWE/yK6p tZwzVjbCzZAxsKtS22E50C22jDn3exWMmtLtVPiDGgKjMcCr5VQlzCMU2neGHqoJYar5s17s4sFd 0CrbEyNFAXk9h9ZWhm8rwaLDu1olLYjbzy2N6TvLmW56F5qsyQE5pXtJvBNJI1mlzoi28rc5uV0S lEMjw1WWdxlkGAIhFYj6akXq1icfylYPONp3TNoFgsbi+10RuBWfkQmcJQW1TRcO3aDRJTL33V6+ EwiyaJAOw9gr6TKr8cKQWF6Hg1OW+AvRM+9lgwmAKgOwiIiskbJ1C4qUKwMhQMQ0DUO6SJHYRd7B u0+y+3DgsGj1g5y1zS6IZReshN3/OUChPz8Lbjx4+uduR7+5G9LEHAAtV0FqmQgLSjmAHQziQOl2 KOgkqdpZKaEVzFavtgWoNDrOGzAeY/r+FnJ2OL9Pp6wPlj8rPVZAxlyQndmWcOo75GPi1qUkxjNp CFQJLXJBb4AwjpjnTCWsK7HiZ5HzEyE6PerYbWb06+PnhmOtwkmdyv2QN9GJuG7uXdwNeVzhfvDn 0wjNQyW3G1qUVKXJtSlSBtqcic2pQ88SFKqxGioWiSsq1UJQuzacTFHUdKC6zqPJpg6gmQn68sjU cXv50pnSJDtkhEKYmTDln6tq3YUACxXMBiouKuSNQjNC2qxdBhdorN2eBXqqHSMssa9lhEfiKEq6 iUswwaxQazVQ3LFl0duNMWgRuB6luOIwYzkMp2pfReREAufO1EMcWBMaGVcMWxktEtxMgTDbAQkX FjFJlp2F1UVtyi44mTaoAmwTaSKZ99nE1jn1wOZGCPAluPivPELcamvY6AIaxBmCoY8UqS03Bd6M wp/z1aFD+PIRVcBE2JLOXoTGo8+ZmM7lYQZrykFEJqmxXC4vmjDEB6YwI1ZSqLQio8067w8U1Lag yCCQk4guhqc5moqDoEYY6qul1t0ra3QFQZQgzmj2sokTRe0lBXVSwuxWSJpXXMsYKISVghu0kqzr Ik1bYSzGrTIgtEzxxC+nt9rkjdcQkjVhrUrhZ5Z+Z5mpS92hekblDSSKM2KzZcaywDiC1RPuNOZA L9gVkRVl+DMJTfRbO4iCtE5bANaiBQ0JfmkF8kcuYg3CBjQYKffYrEfQz2b8sAq0cREVMWQqDJyx Q386VJiSniHcvoraH9rXiJLnAD7solB6sewQsY7UKnw2oJpVE+7QBZ8B2oQd8GQwt7y+XRbvRk2a XH9Ik6bZpgo1AgSTdW5p6ggDRMnCUrMltTCQf+LuSKcKEgaQ6wVA