1.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     1.2 +++ b/docs/md5.txt	Mon Sep 14 15:17:45 2009 +0900
     1.3 @@ -0,0 +1,91 @@
     1.4 +/* ========================================================================
     1.5 + * Copyright 1988-2006 University of Washington
     1.6 + *
     1.7 + * Licensed under the Apache License, Version 2.0 (the "License");
     1.8 + * you may not use this file except in compliance with the License.
     1.9 + * You may obtain a copy of the License at
    1.10 + *
    1.11 + *     http://www.apache.org/licenses/LICENSE-2.0
    1.12 + *
    1.13 + * 
    1.14 + * ========================================================================
    1.15 + */
    1.16 +
    1.17 +		       MD5 Based Authentication
    1.18 +			     Mark Crispin
    1.19 +			   1 November 1999
    1.20 +
    1.21 +
    1.22 +     The IMAP toolkit makes available two MD5 based authentication
    1.23 +mechanisms, CRAM-MD5 and APOP.  CRAM-MD5 is described in RFC 2195, and
    1.24 +is a SASL (RFC 2222) authentication mechanism.  APOP is described in
    1.25 +RFC 1939, the standard document for the POP3 protocol.
    1.26 +
    1.27 +     These mechanisms use the same general idea.  The server issues a
    1.28 +challenge; the client responds with an MD5 checksum of the challenge
    1.29 +plus the password; the server in compares the client's response with
    1.30 +its own calculated value of the checksum.  If the client's response
    1.31 +matches the server's calulated value, the client is authenticated.
    1.32 +
    1.33 +     Unlike plaintext passwords, this form of authentication is
    1.34 +believed to be secure against the session being monitored; "sniffing"
    1.35 +the session will not disclose the password nor will it provide usable
    1.36 +information to authenticate in another session without knowing the
    1.37 +password.
    1.38 +
    1.39 +     The key disadvantage with this form of authentication is that the
    1.40 +server must know a plaintext form of the password.  In traditional
    1.41 +UNIX authentication, the server only knows an encrypted form of the
    1.42 +password.  Consequently, the authentication database for this form of
    1.43 +authentication must be kept strictly confidential; a bad guy who
    1.44 +acquires access to this database can access any account in the
    1.45 +database.
    1.46 +
    1.47 +     CRAM-MD5 client support is implemented unconditionally; any
    1.48 +client application built with the IMAP toolkit will use CRAM-MD5 with
    1.49 +any server which advertises CRAM-MD5 SASL support.
    1.50 +
    1.51 +     CRAM-MD5 and APOP server support is implemented if, and only if,
    1.52 +the CRAM-MD5 authentication database exists.  By default, the CRAM-MD5
    1.53 +authentication database is in a UNIX file called
    1.54 +	/etc/cram-md5.pwd
    1.55 +It is recommended that this file be protected 0400.
    1.56 +
    1.57 +	NOTE: FAILURE TO PROTECT THIS FILE AGAINST UNAUTHORIZED
    1.58 +	ACCESS WILL COMPROMSE CRAM-MD5 AND APOP AUTHENTICATION
    1.59 +	FOR ALL USERS LISTED IN THIS DATABASE.
    1.60 +
    1.61 +     If the CRAM-MD5 authentication database exists, then plaintext
    1.62 +password authentication (e.g. the LOGIN command) will also use the
    1.63 +CRAM-MD5 passwords instead of UNIX passwords.  Alternatively, it is
    1.64 +possible to build the IMAP toolkit so that plaintext password
    1.65 +authentication is disabled entirely, by using PASSWDTYPE=nul, e.g.
    1.66 +	make aix PASSWDTYPE=nul
    1.67 +
    1.68 +
    1.69 +     The CRAM-MD5 authentication database file consists of a series of
    1.70 +text lines, consisting of a UNIX user name, a single tab, and the
    1.71 +password.  A line starting with a "#" character is ignored, as are any
    1.72 +lines which are not in valid format.  For example:
    1.73 +
    1.74 +------------------------------Sample------------------------------
    1.75 +# CRAM-MD5 authentication database
    1.76 +# Entries are in form <user><tab><password>
    1.77 +# Lines starting with "#" are comments
    1.78 +
    1.79 +bill	hubba-hubba
    1.80 +hillary	nysenator
    1.81 +monica	beret
    1.82 +tripp	wired
    1.83 +kenstarr	inquisitor
    1.84 +reno	waco
    1.85 +jessie	thebody
    1.86 +billgates	ruleworld
    1.87 +------------------------------Sample------------------------------
    1.88 +
    1.89 +     Every entry in the CRAM-MD5 authentication database must have a
    1.90 +corresponding entry in the /etc/passwd file.  It is STRONGLY
    1.91 +RECOMMENDED that the CRAM-MD5 password NOT be the same as the
    1.92 +/etc/passwd password.  It is permitted for the /etc/passwd password to
    1.93 +be disabled; /etc/passwd is just used to get the UID, GID, and home
    1.94 +directory information.