Brian Szymanski wrote:
Mostly for curiosity's sake. If I recall correctly there are serious weaknesses with MD5 too.
True, but the clients don't support SHA-1 anyways, so there is no point in supporting an equally suspect mechanism. Besides, the use of CRAM-MD5 here is very low risk, since it is used for a very narrow purpose. Being able to generate a hash collision (the weakness of MD5 in general) does no one any good; you can't use that to recover the original password. You can't use it in a realistic Man-in-the-Middle attack either.
This is also mostly a curiosity point, I'm actually wondering more about whether ditching the clear and hashed passwords and just passing one parameter, and letting the caller dispatch either by hook or by $method makes sense to anyone but me.
The issue is that the Qpsmtpd/Auth.pm file provides the framework for *all* auth plugins (i.e. it has all of the mechanism negotiation as well as prompting for the hashed password if needed). The auth plugins only _verify_ the password (either by comparing the plaintext directly, or rehashing the locally maintained plaintext password). There is no point at all in duplicating all of the funtionality in the auth plugins themselves.
John -- John Peacock Director of Information Research and Technology Rowman & Littlefield Publishing Group 4501 Forbes Boulevard Suite H Lanham, MD 20706 301-459-3366 x.5010 fax 301-429-5748
