Cyrus-SASL patches

Patches written by Branko F. Gracnar

Branko's site includes a patch which can be used to store crypt'd passwords in sql databases for Cyrus SASL (or, to be precise you can store crypt'd passwords in any auxprop backend). The patch's biggest problem is that you have to configure the type of password encoding for all records globally. So it is not usable in changeover situation, when you want to change the password crypt mechanism on a system slowly without bothering users. However the other patch, namely sql_verbose is quite good if you hate the too verbose sasl log messages on a production system.

My own patches

AuxCrypt patch

I needed a patch, which supports a lot more encoding types (namely those that OpenLDAP supports) simultaneously. So I've written one. It can be used with crypt'd (orig un*x or MD5), MD5, SMD5, SHA1, SSHA or plain text passwords too. With it you don't have to change all the passwords of your users when you migrate for example from an OpenLDAP+Courier config to an SQL+Cyrus (because you want performance, security and clarity, right ;-) ).

The trick is to embed the encoding of the password to the beginning of the stored ciphertext. For example 'foobar' encoded with traditional unix crypt is '{CRYPT}I8wBo3nJ1ux.2'. The prefix is not case-sensitive. This is the same storage format, as OpenLDAP's, so large part of the patch is simply reuse of the saslauthd's LDAP mech.

Prefix Encoding Salt
{crypt} or {unix} Operating system's crypt(3) call, modern GNU/Linux systems also supports MD5 encoding this way salted
{md5} Ldap's md5 encoding not salted
{smd5} Ldap's salted md5 encoding salted
{sha} Ldap's sha1 encoding not salted
{ssha} Ldap's salted sha1 encoding salted
no prefix cleartext not salted

Download: AuxCrypt patch for Cyrus SASL 2.1.19 or above.

$ wget http://.../cyrus-sasl...tgz
$ wget
$ tar xvfz cyrus-sasl-....tgz
$ cd cyrus-sasl-...
$ cat ../cyrus-sasl-auxcrypt.patch | patch -p1
$ aclocal -I cmulocal -I config
$ automake
$ autoconf
$ ./configure
$ make

Please note that you have to install OpenSSL (devel things too!) before compilation if you want support for SHA, SSHA, MD5 and SMD5; without it, only unix crypt(3)'d passwords will be handled as special, and everything else will be compared as text.

Update: new version available, fixing OpenSSL initialization and compatible with Cyrus SASL 2.1.22, even if OTP is not used.

Download: AuxCrypt patch for Cyrus SASL 2.1.22 or above.