[Web-cyradm] User authentication is ignored!

Jan Scholten Jammer at gmx.de
Tue Oct 30 20:40:09 CET 2007 

I can't reproduce..

I can somehow see another problem:
User: test.domain.de
pass: test.domain.de

# testsaslauthd -u test.domain.de -p test.domain.de
0: OK "Success."
# testsaslauthd -u test.domain.de -p test.domain.d
0: OK "Success."
# testsaslauthd -u test.domain.de -p test.domain.
0: OK "Success."
# testsaslauthd -u test.domain.de -p test
0: NO "authentication failed"
# testsaslauthd -u test.domain.de -p test.do
0: NO "authentication failed"
# testsaslauthd -u test.domain.de -p test.dom
0: OK "Success."

Seems like it is only validating the first 8 chars?

I can not authenticate with an arbitray Password and your suggested change did not change anything
(for me)

Jan

> Solved by changing :

> auth sufficient pam_mysql.so user=postfix passwd=postfix
> host=localhost db=mail table=accountuser usercolumn=username
> passwdcolumn=password crypt=1 logtable=log logmsgcolumn=msg
> logusercolumn=user loghostcolumn=host logpidcolumn=pid
> logtimecolumn=time

> to:

> auth required pam_mysql.so user=postfix passwd=postfix
> host=localhost db=mail table=accountuser usercolumn=username
> passwdcolumn=password crypt=1 logtable=log logmsgcolumn=msg
> logusercolumn=user loghostcolumn=host logpidcolumn=pid
> logtimecolumn=time

> I suggest that everyone should have a look at this since it appears to
> be a serious security issue.

> On 10/29/07, Marcel Hartmann <mail at marcel-hartmann.com> wrote:
>> Sorry i mean the saslauthd! Not postfix!
>>
>> Regards
>> Marcel
>>
>> _____________________________________________
>>
>> Marcel Hartmann
>>
>> Bokeler Landstraße 24a    26215 Wiefelstede - Bokel
>> Tel. 044 02 - 69 50 62      Fax 044 02 - 69 55 801
>> e-Mail:                             mail at marcel-hartmann.com
>>
>>
>> _______________________________________________
>> This mailing list is hosted and supported
>> by bit-heads GmbH | http://www.bit-heads.ch
>>
>> _______________________________________________
>> Web-cyradm mailing list
>> Web-cyradm at web-cyradm.org
>> http://www.web-cyradm.org/mailman/listinfo/web-cyradm
>>


-- 
If you live by the sword, you'll die by the knife.

Mit freundlichen Grüßen
Jan Scholten
mailto:Jammer at gmx.de

More information about the Web-cyradm mailing list