On Wed, 23 Aug 2000, Christi Alice Scarborough wrote:
> cram:
> driver = cram_md5
> public_name = CRAM-MD5
> server_secret = ${if crypteq{$2}{\{crypt\}${lookup {$1} lsearch{/etc/shadow}{${extract{1}{:}{$value}}} fail } } {secret1} fail }
>
> which I think should do the following. Take the secret string passed
> by the client, containing the username ($1) and password ($2) and extract
> the users crypted password string from the password file. This should
> then be compared with the value passed by the user.
No, that isn't the way CRAM-MD5 works. What you have described is the
way that LOGIN authentication works. CRAM-MD5 is a completely different
kettle of fish (see chapter 35). You need to have the secret stored *in
plain* on the server. You can't use an encrypted password. The client
doesn't send the secret - it sends an MD5 hash of the challenge string
plus the secret.
--
Philip Hazel University of Cambridge Computing Service,
ph10@??? Cambridge, England. Phone: +44 1223 334714.
