[Dovecot] Using pgsql with 'cram-md5 auth' and 'hmac-md5 scheme'
John Peacock
jpeacock at rowman.com
Tue Sep 12 16:11:46 EEST 2006
Jonathan Ballet wrote:
> In fact, it works if I use PLAIN password scheme in my database.
> However, I would like to store them encrypted.
> But, if I replace the password field for my user with {HMAC-MD5}-...
> (the password generated by dovecotpw), it doesn't work.
It is not possible to use the CRAM-MD5 authentication method, unless the
server has the password in plaintext. Here's why[1]:
1) The server generates a *one-time* challenge string and sends it to
the client;
2) The client responds with the username followed by a digest, which is
a HMAC-MD5 hash of the challenge string and the user's password;
3) The server then performs the same HMAC-MD5 hashing of the challenge
string it just sent and the plaintext users password in the database;
4) If and only if the two HMAC-MD5 hashes are equivalent, does the
authentication succeed.
The problem is you have already hashed the password in the database, but
the server does not know what the challenge string that was used (and
unlike crypt, the challenge is not stored as part of the hash). There
is no way to do what you want using CRAM-MD5 (it's one of the serious
design flaws of that method).
HTH
John
1. http://en.wikipedia.org/wiki/CRAM-MD5
--
John Peacock
Director of Information Research and Technology
Rowman & Littlefield Publishing Group
4501 Forbes Boulevard
Suite H
Lanham, MD 20706
301-459-3366 x.5010
fax 301-429-5748
More information about the dovecot
mailing list