checkpw with crypt password (patch)

Chris Ruehl chris.ruehl at xit.com.hk
Tue Jan 8 09:04:34 UTC 2013 

Patrick,

I did not see the problem, if you need shared secret you are not allow
to use crypt passwords.
This should be more a documentation issue - at this point.


But in need using sasl for the mentioned constellation database + postfix
it let me sleep better because a hacker cannot easy get all clients 
mailbox passwords.


thanks get back to me.

Chris


On Tuesday, January 08, 2013 04:28 PM, Patrick Ben Koetter wrote:
> This breaks the plugin. It won't be able to process shared secret mechanisms
> anymore.
>
> p at rick
>
> * Chris Ruehl<chris.ruehl at xit.com.hk>:
>    
>> Dear All,
>>
>> I like to submit you our patches applied to lib/checkpw.c lib/Makefile.am
>>
>> The patches add crypt() compare for salted crypt password.
>> We use this to allow postfix using sasl read and validate crypt passwords
>> for a database table (postgres).
>>
>> Tests are successful done on a Debian Wheezy with following configuration:
>>
>> /etc/postfix/sasl/smtpd.conf
>> sasl_pwcheck_method: auxprop
>> sasl_auxprop_plugin: pgsql
>> password_format: crypt
>> mech_list: LOGIN PLAIN
>>
>> sql_engine: pgsql
>> sql_user: postfix
>> sql_passwd: *********
>> sql_hostnames: localhost
>> sql_database: *******
>> sql_select: select cryptpw as password from mailacct where account='%u@%r'
>> sql_usessl: no
>>
>>
>> testmaildb=>  SELECT id,account,cryptpw from mailacct where id=1
>> ;
>>    id |        account       |              cryptpw
>> ----+----------------------+------------------------------------
>>     1 | tester at testdom.local | $1$.wMUVvWa$cPWzm5.zHZAqgMBcEC7fA/
>> (1 row)
>>
>>
>> Please review the patch and submit it to your upstream releases.
>>
>> happy new year !
>>
>> Cheers
>> Chris
>>
>>      
>    
>> #! /bin/sh /usr/share/dpatch/dpatch-run
>> ## 0038_checkpw_add_cryptcmp.dpatch by<chris.ruehl at xit.com.hk>
>> ##
>> ## All lines beginning with `## DP:' are a description of the patch.
>> ## DP: No description.
>>
>> @DPATCH@
>> diff -urNad cyrus-sasl2-2.1.23.dfsg1/lib/checkpw.c.orig cyrus-sasl2-2.1.23.dfsg1/lib/checkpw.c
>> --- cyrus-sasl2-2.1.23.dfsg1/lib/checkpw.c.orig	2013-01-03 10:14:11.420579153 +0800
>> +++ cyrus-sasl2-2.1.23.dfsg1/lib/checkpw.c	2013-01-03 10:22:02.264429733 +0800
>> @@ -94,6 +94,7 @@
>>   # endif
>>   #endif
>>
>> +extern char *crypt();
>>
>>   /* we store the following secret to check plaintext passwords:
>>    *
>> @@ -184,10 +185,17 @@
>>        * and we've done the auxprop lookup.  This should be easy. */
>>       if(auxprop_values[0].name
>>          &&  auxprop_values[0].values
>> -&&  auxprop_values[0].values[0]
>> -&&  !strcmp(auxprop_values[0].values[0], passwd)) {
>> -	/* We have a plaintext version and it matched! */
>> -	return SASL_OK;
>> +&&  auxprop_values[0].values[0] ) {
>> +
>> +	    if ( !strcmp(auxprop_values[0].values[0], passwd)) {
>> +		    /* We have a plaintext version and it matched! */
>> +		    return SASL_OK;
>> +	    }
>> +	    if ( !strcmp(auxprop_values[0].values[0], crypt(passwd, auxprop_values[0].values[0]))) {
>> +		    /* We have a crypt version and it matched! */
>> +		    return SASL_OK;
>> +	    }
>> +
>>       } else if(auxprop_values[1].name
>>   	&&  auxprop_values[1].values
>>   	&&  auxprop_values[1].values[0]) {
>>
>> diff -urNad cyrus-sasl2-2.1.25.dfsg1/lib/Makefile.am cyrus-sasl2-2.1.25.dfsg1/lib/Makefile.am.patch
>> --- cyrus-sasl2-2.1.25.dfsg1/lib/Makefile.am	2013-01-03 12:14:11.000000000 +0800
>> +++ cyrus-sasl2-2.1.25.dfsg1/lib/Makefile.am.patch	2013-01-03 12:17:22.392096999 +0800
>> @@ -58,13 +58,14 @@
>>   LTLIBOBJS = @LTLIBOBJS@
>>   LIBOBJS = @LIBOBJS@
>>   LIB_DOOR= @LIB_DOOR@
>> +LIB_CRYPT= @LIB_CRYPT@
>>
>>   lib_LTLIBRARIES = libsasl2.la
>>
>>   libsasl2_la_SOURCES = $(common_sources) $(common_headers)
>>   libsasl2_la_LDFLAGS = -version-info $(sasl_version) -Wl,--version-script=$(top_srcdir)/Versions
>>   libsasl2_la_DEPENDENCIES = $(LTLIBOBJS) $(top_srcdir)/Versions
>> -libsasl2_la_LIBADD = $(LTLIBOBJS) $(SASL_DL_LIB) $(LIB_SOCKET) $(LIB_DOOR)
>> +libsasl2_la_LIBADD = $(LTLIBOBJS) $(SASL_DL_LIB) $(LIB_SOCKET) $(LIB_DOOR) $(LIB_CRYPT)
>>
>>   if MACOSX
>>   framedir = /Library/Frameworks/SASL2.framework
>>
>>      
>    
>> _______________________________________________
>> Pkg-cyrus-sasl2-debian-devel mailing list
>> Pkg-cyrus-sasl2-debian-devel at lists.alioth.debian.org
>> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-cyrus-sasl2-debian-devel
>>      
>
>

More information about the Pkg-cyrus-sasl2-debian-devel mailing list