Author: Christopher Meadors Date: To: exim-users Subject: Re: [exim] exim4 calculate cram_md5 for
authenticationagainstmysql (smtp_auth)
On Tue, 2008-05-13 at 09:54 +0200, Thomas Baumann wrote: > I can't believe that it will not be possible.
> If i read the rfc 2195 there is all I need to
> catch the challenge which is sent to the client
> to calculate the answer. Then I can set up a comparison.
>
> Can sb. help me - How can I get the challenge
> in a exim variable ?
What you are missing is that to calculate the response and perform a
comparison the server must have access to the actual, plain text
password. So knowing the client's challenge will do no good on it's
own.
The reason MD5 (or any one-way hashed) password works is the client
sends a word to the server. The sever then scrambles (hashes) that word
in the same way it did when first storing the password locally. If the
word which the client provided when stirred in the same fashion produces
the same result then it was the same word (or a hash collision, but
that's another story).
Somewhere, someone has to have access to the plain text password.
Either the client provides it, and the server hashes it. Or the server
already knows it and helps the client provide a hashed hashed version.
That is the basic truth of password authentication.