[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

extra auth patch for checkpassword



Michael has posted my extra authentication patch for checkpassword. It adds the
ability to auth with MD5-encrypted passwords, and plain text passwords in
either PLAIN, APOP, or CRAM-MD5 modes. The patch is available here:

http://qmail-sql.digibel.be/downloads/checkpassword-0.90-sql-0.23-extra-auth-beta1.patch

Since it is has not fully been tested, it is offered as a separate add-on with
a beta status. The patch applies over the checkpassword-0.90-sql-0.23 patch.

Note: If you'd like to utilize the added benefit of APOP or CRAM-MD5, the
passwords in your database need to be plain text. In other words, you can't
just "turn on" APOP support -- you have to update all your passwords first.
Since you're likely currently using crypted passwords, that's usually not
possible without resetting them to a random value or some known default.

Please send any questions to the list and not to me directly.

Here is the README from the patch:

> There are two distinct modes of operation: encrypted and plaintext.
> Encrypted mode requires passwords in the database to be encrypted,
> and plaintext mode requires passwords in the database to be plain
> text. The distinction is important because certain authentication
> mechanisms (like CRAM-MD5 and APOP) require plaintext passwords. The
> options you choose will determine which mode you get. If conflicting
> options are specified, compilation will abort with an error.
>
> Encrypted mode supports two types of authentication: CRYPT and
> MD5_PLAIN. CRYPT mode expects the passwords in your database to be
> hashed with the standard crypt() function. This alone is the default,
> backwards compatible mode. To enable CRYPT authentication, specify
> -DCRYPT in conf-cc.
>
> Encrypted mode also supports MD5_PLAIN authentication. This mode
> expects the passwords in your database to be hashed with the MD5
> algorithm. To enable MD5_PLAIN authentication, specify -DMD5_PLAIN.
>
> If you would like the special combination mode which allows the use
> of both CRYPT and MD5_PLAIN at the same time, specify both -DCRYPT
> and -DMD5_PLAIN. You may mix and match CRYPT and MD5_PLAIN passwords
> in the database, and checkpassword will automatically detect the
> type and utilize the appropriate method.
>
> Plaintext mode supports three types of authentication: PLAIN, APOP,
> and CRAM-MD5. With PLAIN mode, specified by -DPLAIN, authentication
> is performed by a straight string comparison against the stored
> password. If you would like to enable APOP authentication, specify
> -DAPOP. If you would like to enable CRAM-MD5 authentication, specify
> -DCRAM_MD5. Any combination of the three plaintext types is allowed.
> If PLAIN is selected in combination with APOP and/or CRAM-MD5, then
> APOP and/or CRAM-MD5 will be tried first, and failing that, a PLAIN
> check will be made.
>
> Other defines available:
>
> -DSHOW_FAIL
>    Show bad passwords in log when authentication fails.
>
> -DLOG_EMPTY
>    Generate a log entry when an empty password is encountered.
>
> -DDEBUG
>    Show extra authentication information in the log. This includes
>    passwords, so use with care!

Thanks,

-- 
Alex Howansky
Wankwood Associates
http://www.wankwood.com/