[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Google
  Web www.spinics.net

Re: Information about SASL and LDAP



On 11/30/2011 4:18 PM, Howard Chu wrote:
On 30/11/11 11:16 +0100, Christian Roessner wrote:

cmusaslsecretCRAM-MD5
cmusaslsecretDIGEST-MD5 and
cmusaslsecretNTLM

As I recall these are all plaintext-equivalents; i.e. there is no
security benefit from using these pre-hashed values, so they've been
deprecated already. The plugins will retrieve and use them if they're
present, but nothing creates them.

They are _not_ plaintext equivalents. They are realm-limited, so compromise is limited to just the set of services sharing that realm (in many cases a single service). i.e. they don't let me use your password to log in to gmail, or get a shell on your box.

The fact that the cyrus folks decided to deprecate these in favor of storing actual clear text passwords makes me a sad panda. And demonstrates a lack of understanding of the security issues involved, or a very different cost/benefit analysis than I can imagine.

--
Carson


[Video For Linux]     [Photos]     [Yosemite News]    [Yosemite Photos]     [gtk]     [KDE]     [Info Cyrus]     [Gimp on Windows]     [Steve's Art]     [Script Fu]

Powered by Linux