On Wed, 2004-01-14 at 00:30, Philip Hazel wrote:
> On Mon, 12 Jan 2004, Nigel Metheringham wrote:
>
> > On Sun, 2004-01-11 at 14:14, Svein E. Seldal wrote:
> > > I dont get it. I have a server with a sendmail MTA. It is able to use
> > > CRAM-MD5 without using having the password available in cleartext. It
> > > reads the /etc/shadow (which IFAIK is one-way hashed, right?). How is
> > > that possible?
> >
> > It cannot be doing this.
>
> ...unless the encrypted password is kept at both ends, in which case the
> encrypted string is essentially being used as the "password". I suppose
> the client could be generating the encrypted string each time, assuming
> it can discover which salt to use.
This simply means that the encrypted password on the server, if
retrieved, can be used in place of the original password - ie it is
plain text password equivalent.
Nigel.
--
[ Nigel Metheringham Nigel.Metheringham@??? ]
[ - Comments in this message are my own and not ITO opinion/policy - ]
