[Dovecot] Authentication using native MySQL PASSWORD() function
Tom Sommer
ts at dreamcoder.dk
Thu Oct 27 18:39:12 EEST 2005
Jakob Hirsch wrote:
> Timo Sirainen wrote:
>
>
>>>But if I compile dovecot with --with-mysql, would it not be possible for
>>>dovecot to learn the mysql-password() scheme?
>>
>>I guess it shouldn't be difficult, if one of the password functions in
>>mysql_com.h is the same as the password() function in SQL.
>
>
> Don't know that, but it's probably a bad idea to do that. The mysql doc
> itself says: "Note: The PASSWORD() function is used by the authentication
> system in MySQL Server; you should not use it in your own applications.
> For that purpose, use MD5() or SHA1() instead."
> And there are two different ways mysql stores its passwords: An old one
> (pre-4.1, 16 bytes) and a new new one (41 bytes, with a leading '*').
I agree, using PASSWORD() as a means to encode passwords in general
applications is a VERY bad idea, but what's done is done :(
> I think it would be more flexible (and maybe even easier to implement) to
> be able to use the password in a query, like:
>
> SELECT userid as user, password FROM users WHERE userid = '%u' AND
> password = '%p'
>
> This way, people can even use
>
> SELECT userid as user, %p AS password FROM users WHERE userid = '%u' AND
> password = PASSWORD('%p')
>
> (I hope the substitutions are properly escaped, btw)
>
> This works only when we get the plaintext password from the client,
> obviously. But this is also true for CRYPT etc.
>
> Maybe it would be even better/cleaner to be able to use something like
>
> SELECT userid AS user, 1 AS password_ok FROM users WHERE userid = '%u' AND
> password = PASSWORD('%p')
>
> So if password_ok is 1 we assume just what it says without further
> checking. This is more like a "return the check result" than "return the
> password" query then.
All of the above would solve my problem just fine, and keep the
authentication in native MySQL
--
Tom Sommer
More information about the dovecot
mailing list