On Fri, 10 Dec 2004 19:28:32 +0000, Pedro Pais <[EMAIL PROTECTED]> wrote: > On Thu, 9 Dec 2004 21:39:22 -0800, Tom Collins <[EMAIL PROTECTED]> wrote: > > > > On Dec 9, 2004, at 3:20 PM, Pedro Pais wrote: > > >> Also, I'm fairly certain that CRAM-MD5 requires that you have > > >> clear-text > > >> passwords enabled. I still need to look at my pop and smtp servers > > >> to see > > >> how I can make them not advertise something that's not available on my > > >> system... > > > > > > Really? That doesn't sound too secure, or even ethical. > > > > CRAM-MD5 is more secure because someone sniffing the network can't > > derive the sender's password. With all other SMTP AUTH methods, you > > can easily decode sniffed packets to get the email address and > > password. The only way for CRAM-MD5 to work is for the server to know > > the user's cleartext password. > > > > Granted, you need to make sure the cleartext password is stored > > securely... > But why isn't the password stored in the passwd/mysql using CRAM-MD5 > format? That way you could always check it. It wouldn't matter if the > client authenticated using plain or using CRAM-MD5. You could even > double cypher the password using mysql PASSWORD(). > a) Client authenticates using plain username/password Create CRAM-MD5 > from those tokens and check with the password stored. > b) Client authenticates usign CRAM-MD5 username/password. Directly > compare with the stored password. > > Am I missing something important in here?
Maybe I'm over-simplifying things a bit, right? I'm skimming the RFC and the process of creation of the CRAM-MD5 authentication token doesn't seem to be very straight-forward... > > > > > -- > > > > > > > > Tom Collins - [EMAIL PROTECTED] > > QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/ > > Info on the Sniffter hand-held Network Tester: http://sniffter.com/ > > > > > > -- > Pedro Pais > Skype name: pedro.pais > MSN: [EMAIL PROTECTED] > Get Firefox! > http://www.spreadfirefox.com/community/?q=affiliates&id=3759&t=1 > -- Pedro Pais Skype name: pedro.pais MSN: [EMAIL PROTECTED] Get Firefox! http://www.spreadfirefox.com/community/?q=affiliates&id=3759&t=1
