Current Cyrus-SASL lacks of crypted password support for Auxprop SQL plugin, it only support clear password. This feature is useful when we want to make an authenticated SMTP server using an SQL server for the user accounts. My new ebuild include a patch for this feature. I've tested it with versions 2.1.17 and 2.1.18. More informations are available in the URL. Reproducible: Always Steps to Reproduce: Actual Results: Expected Results:
Created attachment 27667 [details] My new ebuild and crypted password patch
Please post each file as text/plain individually as specified in the bug-posting howto. I haven't had a chance to look at this yet, but I have some questions first. This sounds like it will prevent APOP, CRAM-MD5 and DIGEST-MD5 mechanisms from working as those need access to the plaintext password. Is this true? Aside from this, the way I store encrypted passwords in the database is using mysql's ENCODE() function. This allows you two way encryption such that the password is stored encrypted in the database, but can be decoded when authenticating. To do this, add another field to your users table of type TEXT. To add a user, this field would be set as something like: INSERT INTO users (user_login, sasl_passwd) VALUES ('login', ENCODE('plaintext', 'secretsalt')) Or if you're using saslpasswd2 to manage your user passwords, add this to your /etc/sasl2/saslpasswd.conf: sql_insert: INSERT INTO users (user_login, sasl_passwd) VALUES ('%u', ENCODE('%v', 'secretsalt')) sql_update: UPDATE users SET sasl_passwd = ENCODE('%v', 'secretsalt') WHERE user_login = '%u' Then in all the services you'd configure the following in the .conf files: sql_select: SELECT DECODE(sasl_passwd, 'secretsalt') FROM users WHERE user_login = '%u' Where 'secretsalt' is something you come up with for encoding/decoding the password field and (obviously) keep a secret. This setup has the added benefit of allowing APOP, {CRAM,DIGEST}-MD5 mechanisms and no extra patches needed for the sasl package.
Since upstream do not want to add this patch themself, I am sure we don't want to support it either. Upstream ML discussion about this patch here: http://www.viperstrike.com/~lopaka/sysadmin/cyrus-sasl-mysql-encrypt/software-sources/patch
*** Bug 58622 has been marked as a duplicate of this bug. ***
*** Bug 51320 has been marked as a duplicate of this bug. ***
*** Bug 71567 has been marked as a duplicate of this bug. ***
the reference in comment #3 is wrong. This is the one: http://asg.web.cmu.edu/archive/message.php?mailbox=archive.cyrus-sasl&msg=5683
*** Bug 76390 has been marked as a duplicate of this bug. ***
Added in cyrus-sasl-2.1.20-r2. Just commited to CVS. Cheers, Ferdy
There is a spelling error in the ebuild: # Sypport for crypted passwords. Bug #45181 Secondly, if crypted password support is going to be added and seeing as there is already support for mysql, then I think that the http://frost.ath.cx/software/cyrus-sasl-patches/dist/2.1.19/cyrus-sasl-2.1.19-checkpw.c+sql.c.patch should be an option for building. I have tested that this works on my system with cyrus-sasl-2.1.21-r1.ebuild and mysql version 4.1.14
Typo fixed in 2.1.21-r1. As for the mysql patch, I'd rather not include more patches. This should *really* be pushed upstream. If they don't include them, normally we don't. Thanks, Ferdy
(In reply to comment #11) > Typo fixed in 2.1.21-r1. > > As for the mysql patch, I'd rather not include more patches. This should > *really* be pushed upstream. If they don't include them, normally we don't. > > Thanks, > Ferdy *shrug* I disagree as I feel that it would be helping to make things more secure seeing how sending passwords in cleartext is just stupid.
(In reply to comment #11) > Typo fixed in 2.1.21-r1. > > As for the mysql patch, I'd rather not include more patches. This should > *really* be pushed upstream. If they don't include them, normally we don't. > > Thanks, > Ferdy *shrug* I disagree as I feel that it would be helping to make things more secure seeing how sending passwords in cleartext is just stupid.(In reply to comment #12) > (In reply to comment #11) > > Typo fixed in 2.1.21-r1. > > > > As for the mysql patch, I'd rather not include more patches. This should > > *really* be pushed upstream. If they don't include them, normally we don't. > > > > Thanks, > > Ferdy > > *shrug* I disagree as I feel that it would be helping to make things more secure > seeing how sending passwords in cleartext is just stupid. After finding the ML discussion mentioned previously in this bug report, I withdraw my request and comment regarding security. I am in agreement with Ferdy that the cyrus-sasl maintainers should deal with this instead of us patching the code to death anymore than it already is.
