# [Solved] :: authmysql password in clear text?

## Ateo

Can authmysql be configured to use an encrypted password? I'm not really comfortable with storing passwords in clear text.

Thanks.

[edit]

I edited title and this initial post for correctness as squirrelmail has nothing to do with authenticatin, rather the modules do.. Oh well, you live, you learn right?  :Smile: Last edited by Ateo on Sun Feb 13, 2005 8:35 pm; edited 3 times in total

----------

## seank

I thought squirrelmail authenticates you through the IMAP server so ultimatley the IMAP server would be the one storing the passwords.  You can setup SSL on squirrelmail too.

----------

## Ateo

Right. I am aware of this. I have set up my server with SSL (i think) however, according to the manual I followed, it still accesses mysql for user information in which the password is clear text.

I followed this HOWTO:

http://www.gentoo.org/doc/en/virt-mail-howto.xml

----------

## kashani

Forget about squirrelmail, it has nothing to do with this question. 

Your problem is that Mysql has stored the passwords as clear text. You'll need to change all the passwords to an md5 hash or whatnot, change mysql_pam to auth against encrypted passwords, and possibly change courier-imap's config as well.

kashani

----------

## Ateo

 *kashani wrote:*   

> Forget about squirrelmail, it has nothing to do with this question. 
> 
> Your problem is that Mysql has stored the passwords as clear text. You'll need to change all the passwords to an md5 hash or whatnot, change mysql_pam to auth against encrypted passwords, and possibly change courier-imap's config as well.
> 
> kashani

 

Go it. Thanks for the pointers.

----------

## Ateo

I have found 4 files, in total, that would need editing. They are:

```
nano /etc/courier-imap/authmysqlrc

MYSQL_CRYPT_PWFIELD    crypt

#MYSQL_CLEAR_PWFIELD     clear
```

```
nano /etc/pam.d/imap

auth     optional       pam_mysql.so host=localhost db=mailsql user=MY_USER passwd=MYPASS \

table=users usercolumn=email passwdcolumn=crypt crypt=1

account  required       pam_mysql.so host=localhost db=mailsql user=MY_USER passwd=MYPASS \

table=users usercolumn=email passwdcolumn=crypt crypt=1
```

I did the same edit to to => /etc/pam.d/smtp && /etc/pam.d/pop3. I'm not sure what else to edit.

I have 2 password columns for the time being. One in plain text (column named "clear") and one md5 hash (column named "crypt"). I'm also not sure I'm getting the correct md5 hash for the password I choose. I basically grabbed my md5 hashed PW from an existing database and put that into the crypt column. It's a password from a phpbb database which is md5. I'm probably wrong in taking this approach.

I installed =dev-perl/Authen-DigestMD5 to provide SASL DIGEST-MD5 authentication (RFC2831) but I'm not really sure how to implement it.

In any case, I can't authenticate. All works peachy when I use clear text PW.

----------

## justanothergentoofanatic

Did you read the documentation for authmysql? IIRC the hash has to be generated in a special way.

btw- I assume that the user trying to log in is a virtual user, not a system user? CRAM-MD5 won't work with authpam.

-Mike

----------

## Ateo

 *justanothergentoofanatic wrote:*   

> Did you read the documentation for authmysql? IIRC the hash has to be generated in a special way.
> 
> btw- I assume that the user trying to log in is a virtual user, not a system user? CRAM-MD5 won't work with authpam.
> 
> -Mike

 

Both. I have a system user and a virtual user. However, whether it's system or not, authpam still looks into the DB for authentication.

There is this option for password encryption. However, what algorythm is used?

```
##NAME: MYSQL_CRYPT_PWFIELD:0

#

# Either MYSQL_CRYPT_PWFIELD or MYSQL_CLEAR_PWFIELD must be defined.  Both

# are OK too. crypted passwords go into MYSQL_CRYPT_PWFIELD, cleartext

# passwords go into MYSQL_CLEAR_PWFIELD.  Cleartext passwords allow

# CRAM-MD5 authentication to be implemented.

#MYSQL_CRYPT_PWFIELD    crypt

#MYSQL_CRYPT_PWFIELD    passwd

##NAME: MYSQL_CLEAR_PWFIELD:0

#

#

# MYSQL_CLEAR_PWFIELD   clear

MYSQL_CLEAR_PWFIELD     passwd
```

On CRAM-MD5 not working? A limitation or simply not even an option?

Thanks

----------

## justanothergentoofanatic

 *Quote:*   

> Both. I have a system user and a virtual user. However, whether it's system or not, authpam still looks into the DB for authentication. 

 

Right...each authentication module will be tried in turn until all have failed. Virtual users will succeed with authmysql while system users will succeed with authpam.

 *Quote:*   

> There is this option for password encryption. However, what algorythm is used?

 

Again, have you checked the README.authmysql file? I am 99% sure that it is documented in there. I can't check it myself because I don't have authmysql on my system anymore.

 *Quote:*   

> On CRAM-MD5 not working? A limitation or simply not even an option?

 

It's not possible with authpam since PAM cannot accept an MD5-hashed password as input.

-Mike

----------

## Ateo

 *justanothergentoofanatic wrote:*   

> Again, have you checked the README.authmysql file? I am 99% sure that it is documented in there. I can't check it myself because I don't have authmysql on my system anymore.

 

Not yet. But I most definately will. I basically put this mail project on hold as I tackled implementing a Samba PDC..... But I will read it.

 *justanothergentoofanatic wrote:*   

> It's not possible with authpam since PAM cannot accept an MD5-hashed password as input.
> 
> -Mike

 

I misread your initial post. I overlooked unix users Vs. virtual users who's PWs are stored in the DB.

Also, all users, unix users or not, authenticate (for email in my setup) against mysql. Of course, they MUST be in database.

Thanks. You've pushed me in the right direction.

----------

## justanothergentoofanatic

I was curious, so I downloaded the courier source and checked the readme. To enable CRAM-MD5 authentication with authmysql, you need to use the cleartext password field.

The module I use, authuserdb, requires that you use an 'intermediate HMAC-MD5 context,' which is apparently reversible anyway, and therefore basically the same as entering a clear text value.

According to courier's author, the CRAM-MD5 protocol requires that the cleartext password be available to the server. I have no idea why this is.

-Mike

----------

## justanothergentoofanatic

 *Quote:*   

> Also, all users, unix users or not, authenticate (for email in my setup) against mysql. Of course, they MUST be in database.

 

That's interesting! But are you sure it's really possible? Don't pam_mysql and courier's authmysql require different database tables and fields? And if they don't, why bother with both modules? Why not stick with authmysql and forget authpam?

 *Quote:*   

> Thanks. You've pushed me in the right direction.

 

No problem!

-Mike

----------

## Ateo

I'm still trying to figure out how to get courier-imap/pop3 to authenticate against MySQL using a crypted password instead of clear text.

Here's the files/configuration I've done thus far with no success:

File: /etc/courier/authlib/authmysql (PWFIELD is the same in the MySQL table)

```
##NAME: MYSQL_CRYPT_PWFIELD:0

#

# Either MYSQL_CRYPT_PWFIELD or MYSQL_CLEAR_PWFIELD must be defined.  Both

# are OK too. crypted passwords go into MYSQL_CRYPT_PWFIELD, cleartext

# passwords go into MYSQL_CLEAR_PWFIELD.  Cleartext passwords allow

# CRAM-MD5 authentication to be implemented.

MYSQL_CRYPT_PWFIELD   crypt

##NAME: MYSQL_CLEAR_PWFIELD:0

#

#

MYSQL_CLEAR_PWFIELD     clear
```

File: /etc/courier/authlib/authdaemonrc:

```
##NAME: authmodulelist:0

#

# The authentication modules that are linked into authdaemond.  The

# default list is installed.  You may selectively disable modules simply

# by removing them from the following list.  The available modules you

# can use are: authcustom authcram authuserdb authmysql authpam

authmodulelist="authmysql authpam authcram"

##NAME: authmodulelistorig:1

#

# This setting is used by Courier's webadmin module, and should be left

# alone

authmodulelistorig="authcustom authcram authuserdb authmysql authpam"
```

File: /etc/pam.d/imap:

```
auth     optional       pam_mysql.so host=localhost db=mailsql user=mailsql passwd=$password table=users usercolumn=email passwdcolumn=crypt crypt=1

account  required       pam_mysql.so host=localhost db=mailsql user=mailsql passwd=$password table=users usercolumn=email passwdcolumn=crypt crypt=1
```

File: /etc/pam.d/pop3:

```
auth     optional       pam_mysql.so host=localhost db=mailsql user=mailsql passwd=$password table=users usercolumn=email passwdcolumn=crypt crypt=1

account  required       pam_mysql.so host=localhost db=mailsql user=mailsql passwd=$password table=users usercolumn=email passwdcolumn=crypt crypt=1
```

File: /etc/pam.d/smtp (this probably has no influence on imap/pop3 authentication):

```
auth     optional       pam_mysql.so host=localhost db=mailsql user=mailsql passwd=$password table=users usercolumn=email passwdcolumn=crypt crypt=1

account  required       pam_mysql.so host=localhost db=mailsql user=mailsql passwd=$password table=users usercolumn=email passwdcolumn=crypt crypt=1
```

Here's an error that probably contributes to authentication failure: When I restart courier-authlib with authcram support, my log reports that libauthcram.so doesn't exist.

```
Feb 13 11:57:44 shadow authdaemond: stopping authdaemond children

Feb 13 11:57:45 shadow authdaemond: modules="authmysql authpam authcram", daemons=5

Feb 13 11:57:45 shadow authdaemond: Installing libauthmysql

Feb 13 11:57:45 shadow authdaemond: Installation complete: authmysql

Feb 13 11:57:45 shadow authdaemond: Installing libauthpam

Feb 13 11:57:45 shadow authdaemond: Installation complete: authpam

Feb 13 11:57:45 shadow authdaemond: Installing libauthcram

Feb 13 11:57:45 shadow authdaemond: libauthcram.so: cannot open shared object file: No such file or directory
```

I did compile courier-authlib with crypt support:

```
root@shadow authlib # emerge courier-authlib -pv

These are the packages that I would merge, in order:

Calculating dependencies ...done!

[ebuild   R   ] net-libs/courier-authlib-0.53  -berkdb +crypt -debug -gdbm -ldap +mysql +pam -postgres (-uclibc) 0 kB
```

First and foremost, I need to figure out why libauthcram.so appears not to exist. In addition, am I taking the correct approach? The above files are the files to configure right? I'm pretty sure yes since all I'm really doing is re-configuring password information. Any pointers?

Also, assuming I ever get this implemented, what method do I employ to create a crypted password? I'm only familiar with how php takes a word and creates an MD5 hash but I'm pretty sure the concept of creating a crypted password is the same:

```
$pw = md5('plain_word');
```

----------

## j-m

You should read /usr/share/doc/courier-imap-4.0.1/INSTALL.gz

 *Quote:*   

> 
> 
> CRAM-MD5 AUTHENTICATION
> 
>    CRAM-MD5 authentication allows IMAP clients to authenticate themselves
> ...

 

Summary: it will work for you out-of-the-box with MySQL if you have the passwords stored in clear text.

----------

## Ateo

Ok.

So after reading that, I want to be sure I understand it as passwords ARE stored in MySQL as plain text and this works fine.

So does courier-imap temporarily "crypt" the password when you hit submit (to log in say via squirrelmail) then "un-crypt's" it before comparing the password?

Example:

type password --> submit --> courier crypt's the PW --> travels over medium --> courier uncrypt's the PW back to plain text --> courier authenticates against MySQL.

Is that how it works "out of the box"? (hopefully I made sense)...

----------

## j-m

 *Ateo wrote:*   

> 
> 
> So does courier-imap temporarily "crypt" the password when you hit submit (to log in say via squirrelmail) then "un-crypt's" it before comparing the password?
> 
> Example:
> ...

 

1. See RFC 2195

2. By "out-of-the-box" I mean that you just need authmysql.

----------

## Ateo

Thanks for linking me to that RFC. I wouldn't have thought to take a look at that. It answered everything for me.....

----------

