[prev in list] [next in list] [prev in thread] [next in thread] 

List:       exim-users
Subject:    Re: [exim] plaintext server_condition
From:       Agusti <xarxes () in ! ilimit ! es>
Date:       2005-05-31 17:04:21
Message-ID: 200505311904.21091.xarxes () in ! ilimit ! es
[Download RAW message or body]

I would try to generate crypt passwords for everybody, you can crypt the ones 
that aren't (the other way back would be difficult...).
And I think having all passwords crypted will be more serious...

A Dimarts 31 Maig 2005 17:07, Tony Finch va escriure:
> On Tue, 31 May 2005, Gall Anonim wrote:
> > I have such problem, that i need to authenticate my users from mysql
> > database, some of them have password stored in plaintext. Others have
> > crypted. Now I need to autenticate them all, and i cant separate with
> > usernames. I need to migrate service and it have to be done
> > transparently.
>
> Try a plaintext match and if that fails try a crypt match? Horribly
> insecure (it makes crypted passwords equivalent to plaintext passwords
> because you can type in your crypted password to authenticate yourself)
> but it will allow you to migrate to all-crypted, at which point you can
> turn off the plaintext matching. If you're using a modern crypt() you can
> improve the security by checking the format of the stored password and
> not allowing plaintext matches for passowrds that appear to be crypted.
>
> Tony.
> --
> <fanf@exim.org>   <dot@dotat.at>   http://dotat.at/   ${sg{\N${sg{\
> N\}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}\
> \N}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}

-- 
Agustí Rivero
xarxes@in.ilimit.es
Telf. 902 36 14 84

Ilimit Comunicacions

-- 
## List details at http://www.exim.org/mailman/listinfo/exim-users 
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/

[prev in list] [next in list] [prev in thread] [next in thread]