Gentoo Full Text Bug Listing

Description:

Opened: 2004-03-19 18:25 0000

Current Cyrus-SASL lacks of crypted password support for Auxprop SQL plugin, it
only support clear password.
This feature is useful when we want to make an authenticated SMTP server using
an SQL server for the user accounts.
My new ebuild include a patch for this feature. I've tested it with versions
2.1.17 and 2.1.18.
More informations are available in the URL.

Reproducible: Always
Steps to Reproduce:

Actual Results:  


Expected Results:

------- Comment #2 From Max Kalika (RETIRED) 2004-04-01 09:11:35 0000 -------

Please post each file as text/plain individually as specified in the
bug-posting howto.  I haven't had a chance to look at this yet, but I have some
questions first.  This sounds like it will prevent APOP, CRAM-MD5 and
DIGEST-MD5 mechanisms from working as those need access to the plaintext
password.  Is this true?

Aside from this, the way I store encrypted passwords in the database is using
mysql's ENCODE() function.  This allows you two way encryption such that the
password is stored encrypted in the database, but can be decoded when
authenticating.  To do this, add another field to your users table of type
TEXT.  To add a user, this field would be set as something like:

  INSERT INTO users (user_login, sasl_passwd)
  VALUES ('login', ENCODE('plaintext', 'secretsalt'))

Or if you're using saslpasswd2 to manage your user passwords, add this to your
/etc/sasl2/saslpasswd.conf:

  sql_insert:  INSERT INTO users (user_login, sasl_passwd) VALUES ('%u',
ENCODE('%v', 'secretsalt'))
  sql_update:  UPDATE users SET sasl_passwd = ENCODE('%v', 'secretsalt') WHERE
user_login = '%u'

Then in all the services you'd configure the following in the .conf files:

  sql_select:  SELECT DECODE(sasl_passwd, 'secretsalt') FROM users WHERE
user_login = '%u'

Where 'secretsalt' is something you come up with for encoding/decoding the
password field and (obviously) keep a secret.  This setup has the added benefit
of allowing APOP, {CRAM,DIGEST}-MD5 mechanisms and no extra patches needed for
the sasl package.

------- Comment #3 From Tuan Van (RETIRED) 2004-07-18 22:12:52 0000 -------

Since upstream do not want to add this patch themself, I am sure we don't want
to support it either. Upstream ML discussion about this patch here: 
http://www.viperstrike.com/~lopaka/sysadmin/cyrus-sasl-mysql-encrypt/software-sources/patch

------- Comment #10 From Kristin Galway 2005-10-27 14:34:57 0000 -------

There is a spelling error in the ebuild:

# Sypport for crypted passwords. Bug #45181

Secondly, if crypted password support is going to be added and seeing as there
is already support for mysql, then I think that the
http://frost.ath.cx/software/cyrus-sasl-patches/dist/2.1.19/cyrus-sasl-2.1.19-checkpw.c+sql.c.patch
should be an option for building. I have tested that this works on my system
with cyrus-sasl-2.1.21-r1.ebuild and mysql version 4.1.14

------- Comment #11 From Fernando J. Pereda (RETIRED) 2005-11-06 03:48:00 0000 -------

Typo fixed in 2.1.21-r1.

As for the mysql patch, I'd rather not include more patches. This should
*really* be pushed upstream. If they don't include them, normally we don't.

Thanks,
Ferdy

------- Comment #12 From Kristin Galway 2005-11-08 08:00:02 0000 -------

(In reply to comment #11)
> Typo fixed in 2.1.21-r1.
> 
> As for the mysql patch, I'd rather not include more patches. This should
> *really* be pushed upstream. If they don't include them, normally we don't.
> 
> Thanks,
> Ferdy

*shrug* I disagree as I feel that it would be helping to make things more secure
seeing how sending passwords in cleartext is just stupid.

------- Comment #13 From Kristin Galway 2005-11-08 08:28:26 0000 -------

(In reply to comment #11)
> Typo fixed in 2.1.21-r1.
> 
> As for the mysql patch, I'd rather not include more patches. This should
> *really* be pushed upstream. If they don't include them, normally we don't.
> 
> Thanks,
> Ferdy

*shrug* I disagree as I feel that it would be helping to make things more secure
seeing how sending passwords in cleartext is just stupid.(In reply to comment #12)
> (In reply to comment #11)
> > Typo fixed in 2.1.21-r1.
> > 
> > As for the mysql patch, I'd rather not include more patches. This should
> > *really* be pushed upstream. If they don't include them, normally we don't.
> > 
> > Thanks,
> > Ferdy
> 
> *shrug* I disagree as I feel that it would be helping to make things more secure
> seeing how sending passwords in cleartext is just stupid.

After finding the ML discussion mentioned previously in this bug report, I
withdraw my request and comment regarding security. I am in agreement with Ferdy
that the cyrus-sasl maintainers should deal with this instead of us patching the
code to death anymore than it already is.

Bug#: 45181	Product: Gentoo Linux	Version: unspecified	Platform: All
OS/Version: Linux	Status: CLOSED	Severity: enhancement	Priority: P2
Resolution: WONTFIX	Assigned To: net-mail@gentoo.org	Reported By: me@alessandrorossini.org
Component: Applications
URL: http://frost.ath.cx/software/cyrus-sasl-patches/
Summary: dev-libs/cyrus-sasl: Add crypted password support for Auxprop SQL plugin
Keywords:
Status Whiteboard:
Opened: 2004-03-19 18:25 0000