Re: [bug-anubis] [QUESTION] Using SHA/MD5 hashed password instead of cle

bug-anubis

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [bug-anubis] [QUESTION] Using SHA/MD5 hashed password instead of cle

From:	Sergey Poznyakoff
Subject:	Re: [bug-anubis] [QUESTION] Using SHA/MD5 hashed password instead of cleartext pwds
Date:	Wed, 18 May 2005 12:36:12 +0300

Daniel S. Haischt <address@hidden> wrote:

> Anyway - Would it be possible to write SHA/MD5 hashes
> to the passwd column, if someone is using the SASL
> AUTH method to authenticate against a RDBMS?

It should be rather simple to use MD5 or DES hashed passwords (Not
hashes, it is impossible, but *hashed passwords*. The latter differ from
the former in that they include seed value used to produce the
hash). The following change should be enough:

Index: src/gsasl_srv.c
===================================================================
RCS file: /cvsroot/anubis/anubis/src/gsasl_srv.c,v
retrieving revision 1.14
diff -p -u -r1.14 gsasl_srv.c
--- src/gsasl_srv.c     15 May 2005 17:41:19 -0000      1.14
+++ src/gsasl_srv.c     18 May 2005 09:34:15 -0000
@@ -240,7 +240,7 @@ cb_validate (Gsasl_session_ctx * ctx,
   
   if (usr->smtp_authid == NULL
       || strcmp (usr->smtp_authid, authentication_id)
-      || strcmp (usr->smtp_passwd, password))
+      || strcmp (crypt(password, usr->smtp_passwd), usr->smtp_passwd))
     return GSASL_AUTHENTICATION_ERROR;
   return GSASL_OK;
 }

Regards,
Sergey

[Prev in Thread]

Current Thread

[Next in Thread]

[bug-anubis] [QUESTION] Using SHA/MD5 hashed password instead of cleartext pwds, Daniel S. Haischt, 2005/05/15
- Re: [bug-anubis] [QUESTION] Using SHA/MD5 hashed password instead of cleartext pwds, Sergey Poznyakoff <=

Prev by Date: [bug-anubis] [QUESTION] Using SHA/MD5 hashed password instead of cleartext pwds
Previous by thread: [bug-anubis] [QUESTION] Using SHA/MD5 hashed password instead of cleartext pwds
Index(es):
- Date
- Thread