Rob Siemborski wrote: > No, it is not possible to sue CRAM-MD5 (or DIGEST-MD5) with > pwcheck/saslauthd, because the mechanism needs to be able to compute the > secret which is used from the plaintext. saslauthd and pwcheck both will > only verify a password (as in, return 'YES' or 'NO'), they will not return > the password itself (or a secret) which is what is necessary to > authenticate the user. > That makes perfect sense, Rob--thanks. How about a pwcheck-style socket hook for challenge-response style protocols, where the shared secret is sent to the socket with the user name, and the daemon is responsible for sending back the password encoded with the secret appropriately? This would be ideal for our site where we store all our user details in a DB, and already run daemons that do exactly this for other protocols that use challenge-response.
If you provide the hook in SASL, I'd be happy to add the code to my pwcheck-perl framework so that people can easily use it. PS: Would you like me to put this suggestion in Bugzilla?
