| rev |
line source |
|
yuuji@0
|
1 /* ========================================================================
|
|
yuuji@0
|
2 * Copyright 1988-2006 University of Washington
|
|
yuuji@0
|
3 *
|
|
yuuji@0
|
4 * Licensed under the Apache License, Version 2.0 (the "License");
|
|
yuuji@0
|
5 * you may not use this file except in compliance with the License.
|
|
yuuji@0
|
6 * You may obtain a copy of the License at
|
|
yuuji@0
|
7 *
|
|
yuuji@0
|
8 * http://www.apache.org/licenses/LICENSE-2.0
|
|
yuuji@0
|
9 *
|
|
yuuji@0
|
10 *
|
|
yuuji@0
|
11 * ========================================================================
|
|
yuuji@0
|
12 */
|
|
yuuji@0
|
13
|
|
yuuji@0
|
14 MD5 Based Authentication
|
|
yuuji@0
|
15 Mark Crispin
|
|
yuuji@0
|
16 1 November 1999
|
|
yuuji@0
|
17
|
|
yuuji@0
|
18
|
|
yuuji@0
|
19 The IMAP toolkit makes available two MD5 based authentication
|
|
yuuji@0
|
20 mechanisms, CRAM-MD5 and APOP. CRAM-MD5 is described in RFC 2195, and
|
|
yuuji@0
|
21 is a SASL (RFC 2222) authentication mechanism. APOP is described in
|
|
yuuji@0
|
22 RFC 1939, the standard document for the POP3 protocol.
|
|
yuuji@0
|
23
|
|
yuuji@0
|
24 These mechanisms use the same general idea. The server issues a
|
|
yuuji@0
|
25 challenge; the client responds with an MD5 checksum of the challenge
|
|
yuuji@0
|
26 plus the password; the server in compares the client's response with
|
|
yuuji@0
|
27 its own calculated value of the checksum. If the client's response
|
|
yuuji@0
|
28 matches the server's calulated value, the client is authenticated.
|
|
yuuji@0
|
29
|
|
yuuji@0
|
30 Unlike plaintext passwords, this form of authentication is
|
|
yuuji@0
|
31 believed to be secure against the session being monitored; "sniffing"
|
|
yuuji@0
|
32 the session will not disclose the password nor will it provide usable
|
|
yuuji@0
|
33 information to authenticate in another session without knowing the
|
|
yuuji@0
|
34 password.
|
|
yuuji@0
|
35
|
|
yuuji@0
|
36 The key disadvantage with this form of authentication is that the
|
|
yuuji@0
|
37 server must know a plaintext form of the password. In traditional
|
|
yuuji@0
|
38 UNIX authentication, the server only knows an encrypted form of the
|
|
yuuji@0
|
39 password. Consequently, the authentication database for this form of
|
|
yuuji@0
|
40 authentication must be kept strictly confidential; a bad guy who
|
|
yuuji@0
|
41 acquires access to this database can access any account in the
|
|
yuuji@0
|
42 database.
|
|
yuuji@0
|
43
|
|
yuuji@0
|
44 CRAM-MD5 client support is implemented unconditionally; any
|
|
yuuji@0
|
45 client application built with the IMAP toolkit will use CRAM-MD5 with
|
|
yuuji@0
|
46 any server which advertises CRAM-MD5 SASL support.
|
|
yuuji@0
|
47
|
|
yuuji@0
|
48 CRAM-MD5 and APOP server support is implemented if, and only if,
|
|
yuuji@0
|
49 the CRAM-MD5 authentication database exists. By default, the CRAM-MD5
|
|
yuuji@0
|
50 authentication database is in a UNIX file called
|
|
yuuji@0
|
51 /etc/cram-md5.pwd
|
|
yuuji@0
|
52 It is recommended that this file be protected 0400.
|
|
yuuji@0
|
53
|
|
yuuji@0
|
54 NOTE: FAILURE TO PROTECT THIS FILE AGAINST UNAUTHORIZED
|
|
yuuji@0
|
55 ACCESS WILL COMPROMSE CRAM-MD5 AND APOP AUTHENTICATION
|
|
yuuji@0
|
56 FOR ALL USERS LISTED IN THIS DATABASE.
|
|
yuuji@0
|
57
|
|
yuuji@0
|
58 If the CRAM-MD5 authentication database exists, then plaintext
|
|
yuuji@0
|
59 password authentication (e.g. the LOGIN command) will also use the
|
|
yuuji@0
|
60 CRAM-MD5 passwords instead of UNIX passwords. Alternatively, it is
|
|
yuuji@0
|
61 possible to build the IMAP toolkit so that plaintext password
|
|
yuuji@0
|
62 authentication is disabled entirely, by using PASSWDTYPE=nul, e.g.
|
|
yuuji@0
|
63 make aix PASSWDTYPE=nul
|
|
yuuji@0
|
64
|
|
yuuji@0
|
65
|
|
yuuji@0
|
66 The CRAM-MD5 authentication database file consists of a series of
|
|
yuuji@0
|
67 text lines, consisting of a UNIX user name, a single tab, and the
|
|
yuuji@0
|
68 password. A line starting with a "#" character is ignored, as are any
|
|
yuuji@0
|
69 lines which are not in valid format. For example:
|
|
yuuji@0
|
70
|
|
yuuji@0
|
71 ------------------------------Sample------------------------------
|
|
yuuji@0
|
72 # CRAM-MD5 authentication database
|
|
yuuji@0
|
73 # Entries are in form <user><tab><password>
|
|
yuuji@0
|
74 # Lines starting with "#" are comments
|
|
yuuji@0
|
75
|
|
yuuji@0
|
76 bill hubba-hubba
|
|
yuuji@0
|
77 hillary nysenator
|
|
yuuji@0
|
78 monica beret
|
|
yuuji@0
|
79 tripp wired
|
|
yuuji@0
|
80 kenstarr inquisitor
|
|
yuuji@0
|
81 reno waco
|
|
yuuji@0
|
82 jessie thebody
|
|
yuuji@0
|
83 billgates ruleworld
|
|
yuuji@0
|
84 ------------------------------Sample------------------------------
|
|
yuuji@0
|
85
|
|
yuuji@0
|
86 Every entry in the CRAM-MD5 authentication database must have a
|
|
yuuji@0
|
87 corresponding entry in the /etc/passwd file. It is STRONGLY
|
|
yuuji@0
|
88 RECOMMENDED that the CRAM-MD5 password NOT be the same as the
|
|
yuuji@0
|
89 /etc/passwd password. It is permitted for the /etc/passwd password to
|
|
yuuji@0
|
90 be disabled; /etc/passwd is just used to get the UID, GID, and home
|
|
yuuji@0
|
91 directory information.
|
