Re: [exim] Cram authentication and domain-specific password …

Góra strony
Delete this message
Reply to this message
Autor: Jasen Betts
Data:  
Dla: exim-users
Temat: Re: [exim] Cram authentication and domain-specific password file
On 2015-07-01, Jonas Meurer <jonas@???> wrote:
> Hi again,
>
> Am 2015-06-29 22:29, schrieb Evgeniy Berdnikov:
>> On Mon, Jun 29, 2015 at 06:28:07PM +0200, Jonas Meurer wrote:
>>> Nope, I mean the domain part of provided username.
>>
>> Username is saved in $auth1. Clearly documented.
>
> True. My problem was about splitting the username and using part of it
> for the passwd file to look up.
>
>>> If somebody tries to
>>> authenticate as 'user@???', then the password file to lookup
>>> the
>>> credentials is '/etc/vmail/users/domain.org'. This is what I try to
>>> achieve. Is this possible at all?
>>
>> Just split the username string on '@', extract domain and use it.
>
> Ok, got that now. The following statement splits the username on '@'
> and looks up the password for user <LOCALPART> in password file
> /etc/vmail/users/<DOMAIN>:
>
> vmail_auth_cram:
>    server_debug_print = "A: vmail-authenticator cram-md5 for $auth1"
>    driver = cram_md5
>    public_name = CRAM-MD5
>    server_secret = \
>      ${lookup{${extract{1}{@}{$auth1}}} \
>        lsearch{VMAIL_USERS_DOMAINS/${extract{2}{@}{$auth1}}} \
>        {$value} \
>        fail \
>       }
>    server_set_id = ${extract{1}{@}{$auth1}}

>
> Problem is, that the password needs to be stored unencrypted in the
> password file for that authenticator. Is it possible to use encrypted
> password stores for cram-md5 authenticator, as it is for plain and
> login authenticators?


It's theorecically possible to use a partially hashed password for
checking CRAM authentication but AFAIK Exim does not support this.

AFAICT an attacker knowing the partially hashed password can use it to
authenticate, so only a little obscurity is gained.

--
umop apisdn