imapext-2007
diff docs/md5.txt @ 0:ada5e610ab86
imap-2007e
author | yuuji@gentei.org |
---|---|
date | Mon, 14 Sep 2009 15:17:45 +0900 |
parents | |
children |
line diff
1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 1.2 +++ b/docs/md5.txt Mon Sep 14 15:17:45 2009 +0900 1.3 @@ -0,0 +1,91 @@ 1.4 +/* ======================================================================== 1.5 + * Copyright 1988-2006 University of Washington 1.6 + * 1.7 + * Licensed under the Apache License, Version 2.0 (the "License"); 1.8 + * you may not use this file except in compliance with the License. 1.9 + * You may obtain a copy of the License at 1.10 + * 1.11 + * http://www.apache.org/licenses/LICENSE-2.0 1.12 + * 1.13 + * 1.14 + * ======================================================================== 1.15 + */ 1.16 + 1.17 + MD5 Based Authentication 1.18 + Mark Crispin 1.19 + 1 November 1999 1.20 + 1.21 + 1.22 + The IMAP toolkit makes available two MD5 based authentication 1.23 +mechanisms, CRAM-MD5 and APOP. CRAM-MD5 is described in RFC 2195, and 1.24 +is a SASL (RFC 2222) authentication mechanism. APOP is described in 1.25 +RFC 1939, the standard document for the POP3 protocol. 1.26 + 1.27 + These mechanisms use the same general idea. The server issues a 1.28 +challenge; the client responds with an MD5 checksum of the challenge 1.29 +plus the password; the server in compares the client's response with 1.30 +its own calculated value of the checksum. If the client's response 1.31 +matches the server's calulated value, the client is authenticated. 1.32 + 1.33 + Unlike plaintext passwords, this form of authentication is 1.34 +believed to be secure against the session being monitored; "sniffing" 1.35 +the session will not disclose the password nor will it provide usable 1.36 +information to authenticate in another session without knowing the 1.37 +password. 1.38 + 1.39 + The key disadvantage with this form of authentication is that the 1.40 +server must know a plaintext form of the password. In traditional 1.41 +UNIX authentication, the server only knows an encrypted form of the 1.42 +password. Consequently, the authentication database for this form of 1.43 +authentication must be kept strictly confidential; a bad guy who 1.44 +acquires access to this database can access any account in the 1.45 +database. 1.46 + 1.47 + CRAM-MD5 client support is implemented unconditionally; any 1.48 +client application built with the IMAP toolkit will use CRAM-MD5 with 1.49 +any server which advertises CRAM-MD5 SASL support. 1.50 + 1.51 + CRAM-MD5 and APOP server support is implemented if, and only if, 1.52 +the CRAM-MD5 authentication database exists. By default, the CRAM-MD5 1.53 +authentication database is in a UNIX file called 1.54 + /etc/cram-md5.pwd 1.55 +It is recommended that this file be protected 0400. 1.56 + 1.57 + NOTE: FAILURE TO PROTECT THIS FILE AGAINST UNAUTHORIZED 1.58 + ACCESS WILL COMPROMSE CRAM-MD5 AND APOP AUTHENTICATION 1.59 + FOR ALL USERS LISTED IN THIS DATABASE. 1.60 + 1.61 + If the CRAM-MD5 authentication database exists, then plaintext 1.62 +password authentication (e.g. the LOGIN command) will also use the 1.63 +CRAM-MD5 passwords instead of UNIX passwords. Alternatively, it is 1.64 +possible to build the IMAP toolkit so that plaintext password 1.65 +authentication is disabled entirely, by using PASSWDTYPE=nul, e.g. 1.66 + make aix PASSWDTYPE=nul 1.67 + 1.68 + 1.69 + The CRAM-MD5 authentication database file consists of a series of 1.70 +text lines, consisting of a UNIX user name, a single tab, and the 1.71 +password. A line starting with a "#" character is ignored, as are any 1.72 +lines which are not in valid format. For example: 1.73 + 1.74 +------------------------------Sample------------------------------ 1.75 +# CRAM-MD5 authentication database 1.76 +# Entries are in form <user><tab><password> 1.77 +# Lines starting with "#" are comments 1.78 + 1.79 +bill hubba-hubba 1.80 +hillary nysenator 1.81 +monica beret 1.82 +tripp wired 1.83 +kenstarr inquisitor 1.84 +reno waco 1.85 +jessie thebody 1.86 +billgates ruleworld 1.87 +------------------------------Sample------------------------------ 1.88 + 1.89 + Every entry in the CRAM-MD5 authentication database must have a 1.90 +corresponding entry in the /etc/passwd file. It is STRONGLY 1.91 +RECOMMENDED that the CRAM-MD5 password NOT be the same as the 1.92 +/etc/passwd password. It is permitted for the /etc/passwd password to 1.93 +be disabled; /etc/passwd is just used to get the UID, GID, and home 1.94 +directory information.