Re: [Exim] SMTP auth, MySQL & passwords stored in clear

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Konrad Michels
Date:  
À: Jez Hancock
CC: Exim Mailing List
Sujet: Re: [Exim] SMTP auth, MySQL & passwords stored in clear
Hi Jez
Yeah, I tried using the MySQL encode() function to encode the password
when I stored it in the database, but the lookup I have in the
authenticator reads it as plaintext, not as encoded, so authentication
against an encoded password fails . . .

Later
Konrad


On Wed, 2004-01-07 at 16:39, Jez Hancock wrote:
> On Wed, Jan 07, 2004 at 04:20:35PM +0000, Konrad Michels wrote:
> > I've just setup a Exim 4.30 on a linux box, built with AUTH and MYSQL
> > lookups enabled. I've done the configs, and have managed to get plain
> > and login authentication working with the following authenticators:
> <snip>
> > This seems to work fine, except for one thing: the passwords in the
> > database have to be stored in plain text, which is not entirely the best
> > thing. I've been dredging the docs and Google to see if there's some
> > built-in Exim functionality which will let me specify in the lookup that
> > the passwd is encrypted but can't seem to find anything. Any pointers?
> One idea could be to use the MySQL ENCODE() function to encode the
> password strings submitted using a secret key which you'd store in the
> exim config file. If the resulting encoded string matches that stored
> in the db, accept the connection, otherwise deny.
>
> This scheme would obviously require that you ENCODE() the password
> strings in the first place when they're entered into the db originally
> (or subsequently changed), but this would be the same for any other
> hashing method of course :P
>
> Using the MySQL ENCODE() function has the added benefit that you can
> actually DECODE() password strings as well using the secret key -
> a bonus for sending out forgotten passwords.
>
> Just an idea.
>
> The encode/decode functions are detailed here:
>
> http://www.mysql.com/doc/en/Miscellaneous_functions.html
>
> --
> Jez Hancock
> - System Administrator / PHP Developer
>
> http://munk.nu/
> http://jez.hancock-family.com/  - personal weblog
> http://ipfwstats.sf.net/        - ipfw peruser traffic logging

>
> --
>
> ## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##

--
***********************************************************
* Konrad Michels
* IT Manager
* Surfkitchen Limited
* +441189298079
***********************************************************

The information contained in this message is confidential. It is
intended solely for the use of the individual or entity to whom it is
addressed and other authorised to receive it. If the reader of this
message is not the intended recipient, you are hereby notified that any
use, copying, dissemination or disclosure of this information is
strictly prohibited. If you are not the intended recipient, please
delete it immediately and contact the sender by e-mail or telephone.
Internet e-mails are not necessarily secure. SurfKitchen accepts no
responsibility either for breaches of confidence that may arise through
the use of this medium or for changes to any e-mail which occur after
the e-mail has been sent.