Is it possible to use MD5 password encryption to encrypt passwords when using Postfix / SASL and MySQL? Currently, my setup is using the MySQL CRYPT() function, which for various reasons isn't ideal.
Asked
Active
Viewed 8,235 times
1 Answers
4
yes it is possible.
I guess you are using libpam-mysql. There is an option you can set named crypt.
auth optional pam_mysql.so user=username passwd=password verbose=0 db=thedb table=user usercolumn=userName passwdcolumn=userPassword crypt=3
account required pam_mysql.so user=username passwd=password verbose=0 db=thedb table=user usercolumn=userName passwdcolumn=userPassword crypt=3
you can also use auth required
Then crypt yout Passwords with MD5 in mysql.
You can find the docu in the readme und /usr/share/doc/libpam-mysql
I quote a part:
crypt (plain)
The method to encrypt the user's password: 0 (or "plain") = No encryption. Passwords stored in plaintext. HIGHLY DISCOURAGED. 1 (or "Y") = Use crypt(3) function. 2 (or "mysql") = Use MySQL PASSWORD() function. It is possible that the encryption function used by PAM-MySQL is different from that of the MySQL server, as PAM-MySQL uses the function defined in MySQL's C-client API instead of using PASSWORD() SQL function in the query. 3 (or "md5") = Use plain hex MD5
In saslauthd config file in debian you have to set,
MECHANISMS="pam"
dont know how to set it in another distribution, bur the process have to be startet like this.
/usr/sbin/saslauthd -a pam
But I guess you already have that.
evildead
- 892
- 5
- 11
-
Additional note: You won't be able to use shared secret password mechanisms like CRAM-MD5 or DIGEST-MD5 with encrypted (or better: hashed) passwords in your database. You can only use plaintext mechanisms like LOGIN or PLAIN. But since you have been using CRYPT() to encrypt passwords in your user database, you probably haven't used those shared secret mechanisms at all. – joschi Nov 06 '09 at 00:29
-
This feels 100% correct. However, after making this change, it seems crypt(3) is still being used. Is there a need to somehow reload the PAM configuration? If no, is there a way to determine whether or not the correct configuration is being used? – mO_odRing Nov 06 '09 at 00:40
-
yes, if your passwords are still in "crypt" form in your mysql table, then you should not be able to login. To get additional info, turn on verbose=1 an look into /var/log/auth.log or something similar at your system. I hope I understood you correctly and your question focused on the right thing. Your Password in the mysql table have to be MD5 like now. You must ensure, that the backend which controlls the password generation is set to md5. crypt is a general program/function to encrypt things, crypt is not bad at all, only the mechanism "crypt" is relativly weak. – evildead Nov 06 '09 at 09:54
-
and again, you have to make two entries in the pam configuration. I added it to the answer itself. look above. – evildead Nov 06 '09 at 10:00
-
To be clear, after following your instruction, I cannot authenticate with MD5 encrypted passwords, and can still authenticate with CRYPT()'d passwords. Of course I made sure to change the database values to MD5 hashes. :) I'll try setting the verbose option and checking those logs (I've as of yet been checking only mail.log). Lastly, both of those options are set in the pam config (have been). Thank you very much for walking me through this. I'll post back when I've got more info. – mO_odRing Nov 06 '09 at 21:57
-
I only show you the way to configure pam to support md5ed passwords. If your passwords in the mysql table are md5ed you only can auth against them using md5 mech. Nothing else. I dont understand why you care wich fuction does the hash for you. Crypt() is only a function wich supports many encryption mechs and you asked for md5, so my answer must be the solution if everything is setup properly. I hate to say this, but I hope you know that postfix (in some distributions) runs under chroot, and you have to modify the proper file! Maybe /etc/pam.d/smtp is the totally wrong place. – evildead Nov 07 '09 at 00:02