Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 45181 - dev-libs/cyrus-sasl: Add crypted password support for Auxprop SQL plugin
Summary: dev-libs/cyrus-sasl: Add crypted password support for Auxprop SQL plugin
Status: VERIFIED WONTFIX
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: High enhancement (vote)
Assignee: Net-Mail Packages
URL: http://frost.ath.cx/software/cyrus-sa...
Whiteboard:
Keywords:
: 51320 58622 71567 76390 (view as bug list)
Depends on:
Blocks:
 
Reported: 2004-03-19 18:25 UTC by Alessandro Rossini
Modified: 2005-11-08 08:28 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
My new ebuild and crypted password patch (cyrus-sasl-2.1.18.ebuild.tar.bz2,3.77 KB, application/x-tbz)
2004-03-19 18:28 UTC, Alessandro Rossini
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Alessandro Rossini 2004-03-19 18:25:20 UTC
Current Cyrus-SASL lacks of crypted password support for Auxprop SQL plugin, it only support clear password.
This feature is useful when we want to make an authenticated SMTP server using an SQL server for the user accounts.
My new ebuild include a patch for this feature. I've tested it with versions 2.1.17 and 2.1.18.
More informations are available in the URL.

Reproducible: Always
Steps to Reproduce:

Actual Results:  
 

Expected Results:
Comment 1 Alessandro Rossini 2004-03-19 18:28:54 UTC
Created attachment 27667 [details]
My new ebuild and crypted password patch
Comment 2 Max Kalika (RETIRED) gentoo-dev 2004-04-01 09:11:35 UTC
Please post each file as text/plain individually as specified in the bug-posting howto.  I haven't had a chance to look at this yet, but I have some questions first.  This sounds like it will prevent APOP, CRAM-MD5 and DIGEST-MD5 mechanisms from working as those need access to the plaintext password.  Is this true?

Aside from this, the way I store encrypted passwords in the database is using mysql's ENCODE() function.  This allows you two way encryption such that the password is stored encrypted in the database, but can be decoded when authenticating.  To do this, add another field to your users table of type TEXT.  To add a user, this field would be set as something like:

  INSERT INTO users (user_login, sasl_passwd)
  VALUES ('login', ENCODE('plaintext', 'secretsalt'))

Or if you're using saslpasswd2 to manage your user passwords, add this to your /etc/sasl2/saslpasswd.conf:

  sql_insert:  INSERT INTO users (user_login, sasl_passwd) VALUES ('%u', ENCODE('%v', 'secretsalt'))
  sql_update:  UPDATE users SET sasl_passwd = ENCODE('%v', 'secretsalt') WHERE user_login = '%u'

Then in all the services you'd configure the following in the .conf files:

  sql_select:  SELECT DECODE(sasl_passwd, 'secretsalt') FROM users WHERE user_login = '%u'

Where 'secretsalt' is something you come up with for encoding/decoding the password field and (obviously) keep a secret.  This setup has the added benefit of allowing APOP, {CRAM,DIGEST}-MD5 mechanisms and no extra patches needed for the sasl package.
Comment 3 Tuan Van (RETIRED) gentoo-dev 2004-07-18 22:12:52 UTC
Since upstream do not want to add this patch themself, I am sure we don't want to support it either. Upstream ML discussion about this patch here: 
http://www.viperstrike.com/~lopaka/sysadmin/cyrus-sasl-mysql-encrypt/software-sources/patch
Comment 4 Tuan Van (RETIRED) gentoo-dev 2004-08-01 14:14:10 UTC
*** Bug 58622 has been marked as a duplicate of this bug. ***
Comment 5 Tuan Van (RETIRED) gentoo-dev 2004-08-01 14:15:32 UTC
*** Bug 51320 has been marked as a duplicate of this bug. ***
Comment 6 Tuan Van (RETIRED) gentoo-dev 2004-11-17 10:15:13 UTC
*** Bug 71567 has been marked as a duplicate of this bug. ***
Comment 7 Tuan Van (RETIRED) gentoo-dev 2004-11-17 10:17:25 UTC
the reference in comment #3 is wrong. This is the one: 
http://asg.web.cmu.edu/archive/message.php?mailbox=archive.cyrus-sasl&msg=5683
Comment 8 Tuan Van (RETIRED) gentoo-dev 2005-01-02 11:36:33 UTC
*** Bug 76390 has been marked as a duplicate of this bug. ***
Comment 9 Fernando J. Pereda (RETIRED) gentoo-dev 2005-02-15 11:43:07 UTC
Added in cyrus-sasl-2.1.20-r2. Just commited to CVS.

Cheers,
Ferdy
Comment 10 Kristin Galway 2005-10-27 14:34:57 UTC
There is a spelling error in the ebuild:

# Sypport for crypted passwords. Bug #45181

Secondly, if crypted password support is going to be added and seeing as there
is already support for mysql, then I think that the
http://frost.ath.cx/software/cyrus-sasl-patches/dist/2.1.19/cyrus-sasl-2.1.19-checkpw.c+sql.c.patch
should be an option for building. I have tested that this works on my system
with cyrus-sasl-2.1.21-r1.ebuild and mysql version 4.1.14
Comment 11 Fernando J. Pereda (RETIRED) gentoo-dev 2005-11-06 03:48:00 UTC
Typo fixed in 2.1.21-r1.

As for the mysql patch, I'd rather not include more patches. This should
*really* be pushed upstream. If they don't include them, normally we don't.

Thanks,
Ferdy
Comment 12 Kristin Galway 2005-11-08 08:00:02 UTC
(In reply to comment #11)
> Typo fixed in 2.1.21-r1.
> 
> As for the mysql patch, I'd rather not include more patches. This should
> *really* be pushed upstream. If they don't include them, normally we don't.
> 
> Thanks,
> Ferdy

*shrug* I disagree as I feel that it would be helping to make things more secure
seeing how sending passwords in cleartext is just stupid.
Comment 13 Kristin Galway 2005-11-08 08:28:26 UTC
(In reply to comment #11)
> Typo fixed in 2.1.21-r1.
> 
> As for the mysql patch, I'd rather not include more patches. This should
> *really* be pushed upstream. If they don't include them, normally we don't.
> 
> Thanks,
> Ferdy

*shrug* I disagree as I feel that it would be helping to make things more secure
seeing how sending passwords in cleartext is just stupid.(In reply to comment #12)
> (In reply to comment #11)
> > Typo fixed in 2.1.21-r1.
> > 
> > As for the mysql patch, I'd rather not include more patches. This should
> > *really* be pushed upstream. If they don't include them, normally we don't.
> > 
> > Thanks,
> > Ferdy
> 
> *shrug* I disagree as I feel that it would be helping to make things more secure
> seeing how sending passwords in cleartext is just stupid.

After finding the ML discussion mentioned previously in this bug report, I
withdraw my request and comment regarding security. I am in agreement with Ferdy
that the cyrus-sasl maintainers should deal with this instead of us patching the
code to death anymore than it already is.