[Dovecot] Authentication using native MySQL PASSWORD() function

[Jakob Hirsch]

Timo Sirainen wrote:

>> But if I compile dovecot with --with-mysql, would it not be possible for
>> dovecot to learn the mysql-password() scheme?
> I guess it shouldn't be difficult, if one of the password functions in
> mysql_com.h is the same as the password() function in SQL.

Don't know that, but it's probably a bad idea to do that. The mysql doc
itself says: "Note: The PASSWORD() function is used by the authentication
system in MySQL Server; you should not use it in your own applications.
For that purpose, use MD5() or SHA1() instead."
And there are two different ways mysql stores its passwords: An old one
(pre-4.1, 16 bytes) and a new new one (41 bytes, with a leading '*').

I think it would be more flexible (and maybe even easier to implement) to
be able to use the password in a query, like:

SELECT userid as user, password FROM users WHERE userid = '%u' AND
password = '%p'

This way, people can even use

SELECT userid as user, %p AS password FROM users WHERE userid = '%u' AND
password = PASSWORD('%p')

(I hope the substitutions are properly escaped, btw)

This works only when we get the plaintext password from the client,
obviously. But this is also true for CRYPT etc.

Maybe it would be even better/cleaner to be able to use something like

SELECT userid AS user, 1 AS password_ok FROM users WHERE userid = '%u' AND
password = PASSWORD('%p')

So if password_ok is 1 we assume just what it says without further
checking. This is more like a "return the check result" than "return the
password" query then.

Hope this make at least a little sense...