[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [bug-anubis] [QUESTION] Using SHA/MD5 hashed password instead of cle
From: |
Sergey Poznyakoff |
Subject: |
Re: [bug-anubis] [QUESTION] Using SHA/MD5 hashed password instead of cleartext pwds |
Date: |
Wed, 18 May 2005 12:36:12 +0300 |
Daniel S. Haischt <address@hidden> wrote:
> Anyway - Would it be possible to write SHA/MD5 hashes
> to the passwd column, if someone is using the SASL
> AUTH method to authenticate against a RDBMS?
It should be rather simple to use MD5 or DES hashed passwords (Not
hashes, it is impossible, but *hashed passwords*. The latter differ from
the former in that they include seed value used to produce the
hash). The following change should be enough:
Index: src/gsasl_srv.c
===================================================================
RCS file: /cvsroot/anubis/anubis/src/gsasl_srv.c,v
retrieving revision 1.14
diff -p -u -r1.14 gsasl_srv.c
--- src/gsasl_srv.c 15 May 2005 17:41:19 -0000 1.14
+++ src/gsasl_srv.c 18 May 2005 09:34:15 -0000
@@ -240,7 +240,7 @@ cb_validate (Gsasl_session_ctx * ctx,
if (usr->smtp_authid == NULL
|| strcmp (usr->smtp_authid, authentication_id)
- || strcmp (usr->smtp_passwd, password))
+ || strcmp (crypt(password, usr->smtp_passwd), usr->smtp_passwd))
return GSASL_AUTHENTICATION_ERROR;
return GSASL_OK;
}
Regards,
Sergey