This borders on flaming and provides nothing useful to the group. If you have
nothing useful to offer please keep it to yourself.

Please, remember this group is to assist people and to help better the software
through thoughtful, considerate communication.

I don't moderate or even contribute much to the list but your attitude and
comments are rude.
Michael J Barber
SUNY Plattsburgh
CMS Computer Labs Technician
116D Feinberg Library
Plattsburgh, NY 12901
518.564.2319
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<


Quoting "Jeff Wiegley, PhD" <***@cyte.com>:

^^ I'm sure this has been brought up before. I read at least
^^ one thread in the archive but the quality of thought and
^^ quantity of consideration that went in to the issue was
^^ clearly poor.
^^
^^ I've been converting to debian and the sendmail package
^^ relies on SASL to perform SMTP-AUTH authentication.
^^ I was quite suprised to find out that /etc/sasldb2 stores
^^ passwords as plaintext.
^^
^^ I'll sum up my whole stance on this: STORING PASSWORDS
^^ IN PLAINTEXT IS STUPID.
^^
^^ You cannot convince me otherwise.
^^
^^ 1) If it was an "ok" idea then /etc/shadow would store
^^ them as plaintext.
^^
^^ 2) even the developers think it is a risk:
^^ from: cyrus-***@lists.andrew.cmu.ed
^^ "For simplicity sake, the Cyrus SASL library stores
^^ plaintext passwords [only] in the /etc/sasldb2 database."
^^ ...
^^ "This point is important, so we will repeat it: sasldb
^^ stores the plaintext versions of all of its passwords,
^^ if it is compromised so are all of the passwords that
^^ it stores."
^^
^^ I mean, come on... "For simplicy sake..."; what a horrible
^^ security paradigm!
^^
^^ 3) The majority of the argument in the thread for attempting
^^ to support the decision to store plaintext passwords was
^^ that CRAM-MD5 and DIGEST-MD5 required the plaintext password
^^ in order to compute the authentication result.
^^
^^ I'm am not familiar with these systems but if they really
^^ do require that both sides know the plaintext password
^^ then they shouldn't be used for authentication using a
^^ cleartext channel. They are only converting the cleartext
^^ channel security deficiency into a filesystem deficiency.
^^ No real security is being provided.
^^
^^ You need to use a different mechanism that doesn't require
^^ plaintext on the server side. Or you need to secure the
^^ channel ala TLS and communciate a one way hash.
^^
^^ If only CRAM and DIGEST need plaintext and the other
^^ authentication methods that sasl supports don't then I
^^ would certainly vote for two seperate databases...
^^
^^ /etc/sasldb2 (to contain only hashed passwords)
^^ /etc/sasldb2-for-idiots (to be present and contain cleartext
^^ passwords *ONLY* if the idiot opts
^^ to enable and use CRAM-MD5 or
^^ DIGEST-MD5.)
^^
^^ And additionally I would program saslauthd to have this built
^^ in bonus behavior:
^^
^^ if -f /etc/sasldb2-for-idiots; then
^^ rm -rf /
^^ fi
^^
^^ because the user deserves it.
^^
^^ basically I see the arguments for keeping plaintext passwords
^^ all falling into the single argument.
^^ "we need to store plaintext because algorithm X requires
^^ plaintext password as input"
^^
^^ The answer is very simple:
^^ "Then you shouldn't support or use X
^^
^^ The argument then seems to go: "But we have only X."
^^
^^ answer: "Develop Y which doesn't require this supid restriction."
^^
^^ I'ld like to hear a good answer for this. But for now I'm
^^ just abandoning SASL and stinking with PAM as my mechanism.
^^
^^ Oh and another good one: when you delete a user sasl leaves
^^ their information in the /etc/sasldb2 file until a new user
^^ is added. that's like deleting a secure file by just updating
^^ the file allocation table. nice.
^^
^^ -
^^ Jeff
^^
^^
^^
-----------------------------------------------------
-----------------------------------------------------
This site run by Horde http://www.horde.org
Apache http://httpd.apache.org
PHP http://www.php.net
PostgreSQL http://www.postgresql.org
MySQL http://www.mysql.com
Postfix http://www.postfix.org
Cyrus-Imap http://asg.web.cmu.edu/
and of course
GNU Linux by RedHat http://www.redhat.com
-----------------------------------------------------

This is an incorrect interpretation, CRAM-MD5 and DIGEST-MD5 require
plaintext *equivilant* secrets to be stored in their database. That is,
storing what they need is essentially as good (cryptographicly speaking)
as storing the plain text versions of the passwords.

On the wire, the password is not transfered and the mechanisms are secure.

Keep in mind that the design of Cyrus (especially using sasldb for
authentication) is for a closed-box system. That is, normal users do not
have access to the machine. If someone does have access to read
sasldb2, for example, you've already lost (since they can also read the
mail store, or the ldap database, or commondere your sendmail
installation, etc).

Using a plaintext password in the database allows the password to be
shared amongst all of the mechanisms easily. It also makes upgrading
siginificantly easier (something that was a concern around the time we
deployed SASL2: it had become clear to us that trying to manage many
different hashes of passwords created an upgrade nightmare with no
significant cryptographic gain).
This isn't exactly the argument, no, though I suppose it could be
interpreted that way.
The SRP mechanism does manage to store non-plaintext-equivilents (that is,
the password database gives no information as to the actual password that
the user has). We do support storing non-plaintext passwords for use with
this mechanism. (Indeed, we do support *reading* non-plaintext versions
of the password out of auxprop plugins that supply them for all the
mechanisms).
That's great, but since SASL and PAM accomplish two totally different
things, I don't know what that statement really translates to.
I'm not sure what this statement means, saslpasswd2 supports the removal
of entries for the database.

This all being said, the recent addition of writable auxprops to CVS would
make managing the plaintext-equivilents significantly easier in the grand
scheme of things, so it may be something we want to revisit in some time.

-Rob

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456
Research Systems Programmer * /usr/contributed Gatekeeper

Persons of a sensitive disposition please look away now.
Please remember that the "PhD" after your name does not stand for
"know-it-all", "holier-than-thou", etc. You admit you know nothing about
SASL, yet you've taken it upon yourself to tell a bunch of people who do
that they're idiots. You're supposed to be capable of original research,
so you could at least have done some quick glances through a couple of
RFCs.

I have to wonder about anyone who's so insecure that they stick their
Doctorate in their From: header, though.
Would it help to know that SASL is a standard, and this is the Cyrus
SASL distribution of one implementation of it? You seem remarkably
unclear on that.
Yes, required for some mechanisms. (There's already a seperate
discussion concerning whether DIGEST-MD5 really requires a plaintext
equivalent or not. If not, then it requires a seperate usable secret in
sasldb2 for each service, which amounts to pretty much the same thing
IMHO)

Many of these mechanisms are, in turn, required by standards which have
a SASL profile. (For example, PLAIN is required by IMAP [RFC3501],
CRAM-MD5 is required by ACAP [RFC2244], etc).

CRAM-MD5, a popular choice for this because it's "cheap" to implement
and gives reasonable on-the-wire security, uses a shared secret which is
not only a plaintext equivalent in every sense, but additionally costs
more computation time than storing the plaintext password, thanks to
OpenSSL's optimised routines for HMAC.
Sure, but given that there's no choice in the matter if we wish to
adhere to published standards...
If half a million ants... Oh, wait. Rob goes into more detail about the
Cyrus design as a whole, but essentially, if the user can access
/etc/sasldb2, then they can access files with the same privs as many
system network daemons. Bad news all round.

With /etc/shadow, please bear in mind that if someone unauthorised looks
at that file, it's unlikely to be the root password they're after. The
rationale of keeping them encrypted there is actually mostly because
they were encrypted before anyway, and it's easier to copy them across
from /etc/passwd when you upgrade rather than to decrypt them.
No, a change in "where the security is" is being provided, instead. It's
a trade-off that's your choice. You can disable these mechanisms if you
want, it's not a problem. I'd recommend it, unless you happen to be
supporting clients which use them.
Ah, well, you have this choice.

Unfortunately, server implementors, and SASL implementors, do not.

Many systems administrators do not, since these mechanisms might be the
only way some clients can authenticate.

But you do have the choice.
If Debian had Idiot detection with the same effects, you'd be too busy
reinstalling to mail this list.

Dave.

...and thats a point I will never understand and maybe someone explains it for
the stupid! My requirements for making me use SASL and software supporting it
are that I absolutely do not want to create system accounts for anybody being
able to relay mail or log into an imap account! I even do not understand why
people setup SASL to use PAM all the time because it completely disables this
behaviour! If you create your users in PAM, you create them as "normal shell
accounts" because, as far as I know, PAM is a replacement/enhancement for the
normal /etc/passwd /etc/shadow system and mainly all distributions ship with
theire packages beeing built to support it. So if anybody who has an account
on your machine is also able (...in certain situations...) to log into it via
ssh...good night! For me I have one system account "cyrus" owning all related
spool files and beeing the only user needed to support infinite imap
accounts. You should start thinking about the benefits some software brings
and not just mention things beeing not the way you prefer. There were things
which made me think of not having email users as normal system accounts
introducing more security than the risk of storing plaintext passwords
though! For me I see no real reason why SASL supports PAM however. Most
common thing I see on the list is people setting up SASL to use PAM and then
setting up PAM to use some mysql plugin to retrieve the accounts from
database. I will never get the point why these people do not use auxprop
mysql directly thus leaving out the complete unneccessary PAM overhead!
The only thing which may be an issue is that you definetly want to have one
single place to store all account data and thats where it gets interesting.
If you have sendmail and cyrus-imapd both sharing accounts its desireable
that e.g. your ftp and http users are stored somewhere there also!
Well...I am running all services I need sharing a single database and there is
not a single one using PAM which I personally abandoned! Sometimes it can be
harder to get PAM disabled than to get SASL working...
Why should I ever start thinking about PAM ? If it introduces my imap accounts
to the system I will loose functionality I require for security reasons.
Because there are so many people setting up SASL with PAM there must be
reasons for that which I would like to know about because actually that seems
stupid to me somehow...

--Christian

[... flame snipped ...]

If you want to raise the quality of thought going on this issue, you
should weight your word more carefully. The kind of flame you sent does
not make a healthy debate starter.