[Dovecot] [PATCH, RFC] add APOP authentication mechanism

Timo Sirainen tss at iki.fi
Tue Jul 6 09:25:30 EEST 2004


On 6.7.2004, at 08:28, Andrey Panin wrote:

> Problem found: client->auth_id structure passed to 
> auth_client_request_new() isn't
> filled anywhere. Attached patch fixes it, it also fixes dovecot-auth 
> crash when
> username is not found in userdb.
>
> Please consider applying.

Thanks. One thing though:

+		safe_memset((void *) credentials, 0, strlen(credentials));

credentials parameter is a pointer given by passdb. It's const because 
it's not supposed to be modified as it could be a pointer to permanent 
location of the password, as it is with eg. passwd-file. If it's wanted 
to be cleared after use, it's passdb's job. The reason why eg. 
mech-plain does a safe_memset() is because it does a temporary copy of 
the password given by user.

I don't think all passdbs clear the passwords as much as they could, 
maybe I'll look one day and try to get them all cleared. Anyway, 
there's two reasons why the passwords are cleared:

More importantly, the plaintext passwords (and equilevants) sent by 
user should be cleared. The server contains only crypted versions of 
the password, so it's better to avoid leaking the plaintext password as 
much as possible. So if someone cracks the dovecot-auth, the attacker 
don't find lots of plaintext passwords lying around in process memory.

The other reason is just that it's better to avoid storing passwords 
into swap if possible. Although we could do better here too by using 
mlock(). Probably not worth the trouble.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
URL: <http://dovecot.org/pipermail/dovecot/attachments/20040706/b8726e18/attachment-0001.bin>


More information about the dovecot mailing list