Mailinglist Archive: opensuse-security (485 mails)

< Previous Next >
Re: [suse-security] postfix/imap/cyrus-sasl and Pam backend
  • From: Andreas Winkelmann <ml@xxxxxxxxxxxxxx>
  • Date: Wed, 10 Mar 2004 15:34:33 +0100
  • Message-id: <200403101534.33722.ml@xxxxxxxxxxxxxx>
Am Mittwoch, 10. März 2004 15:18 schrieb Markus Feilner:

> > > Now: postfix grants all users access based on user/password
> > > kombinations in sasldb - and only those users. Shouldn't saslauth
> > > use the local user/password Kombination?
> >
> > Please define "saslauth". I'm not sure, what you mean.
>
> O.K.
> I made postfix use SASL auth - by the parameters above means, it uses
> saslauthd for authentikation. Right?

Yes.

> saslauthd is configured to auth against pam. Right?

Yes.

> But: saslauthd uses User/Password combinations from sasldb. Why?

No. saslauthd and sasldb are two diffrent things.

> Where is my mistake?

> > > (BTW: Why does sasl with PAM only work with PLAIN?)
> >
> > It works with plain and login.
>
> Sorry, You are right. But I want to understand, why I cannot use either
> MD5 methods for that...

To use the *-MD5 Mechanisms, Cyrus-SASL needs access to the unencrypted
plaintext-password. This based on the algorithms how these hashes are
computed.

The other reason is saslauthd itself. It speaks a protocol where the Lib only
asks saslauthd if the password is correct:

Lib -> saslauthd : Is "User","Realm","Password" Ok
saslauthd -> Lib: "Ok" / "Not Ok"

That's all, no way to exchange a password.

--
Andreas


< Previous Next >
Follow Ups