Cyrus SASL with MySQL Encrypted Passwords on FreeBSD FreeBSD, Cyrus, Encrypted, Passwords, SASL

jacky

Updates:

20061204 - Confirmed to work on Cyrus SASL 2.1.21 with Cyrus IMAPD 2.3.1 on
           FreeBSD 6.1-RELEASE on i386 and amd64 platform.

20061203 - After forgetting to do some redirecting, the site has been down
           without my knowledge.  The redirect to viperstrike.com to this
           location, readaccess.com, should be working.  My apologies.

20060125 - Confirmed to work on Cyrus SASL 2.1.21 with Cyrus IMAPD 2.3.1 on
           FreeBSD 6.0-RELEASE on amd64 platform.  Currently setting it up on
           i386 platform.  Once finished, I will update site.

20051214 - Due to many requests, I have created a Linux version of the patch.
           The link to the patch is in the "Install this Patch" section.
           NOTE that the Linux version does not read blowfish encrypted
           passwords.  Also note, I have not extensively tested this with
           Linux, but it appears to work.

20050113 - Thanks to A. Oberritter, I fixed a stupid memory leak in the patch. 
           Can't believe it has been in the patch for this long.

20041009 - Confirmed to work on Cyrus SASL 2.1.19 with Cyrus IMAPD 2.2.8 on FreeBSD 4.9 and 4.10

20041008 - Patch has been updated to include checking blowfish encrypted passwords.

20040415 - updated to 2.1.17 on FreeBSD-4.9.  If you are looking for the old version, it's HERE!!

20040415 - This should work w/ SASL 2.1.18 as well

If you had to make any other changes or got this to work on any other platform/OS, please let me know so I can share it here.

---

Purpose:
In this document, I will detail how I altered and installed Cyrus SASL to authenticate by using encrypted passwords from MySQL. I only needed a FreeBSD machine to have this capability, so I have no clue if this will work on other OS's. The passwords are encrypted in MySQL using the following 2 syntax:

ENCRYPT("passwordhere","$1$mFeTJdKh$")
ENCRYPT("passwordhere")

The first one encrypts in MD5 format, the default format that FreeBSD 4.9 uses to store it's password in the /etc/master.passwd file. The second argument in the MD5 format is the seed. It must be in the format of "$1$xxxxxxxx$". The second one is in DES format, The old default format that FreeBSD used. Both formats are valid in FreeBSD 4.9. The reason I mention this is to show how easy it is to seed MySQL with users who already have accounts on your FreeBSD system. Just copy the encrypted password into MySQL and you don't have to worry about users needing to reset their passwords to update MySQL. The patch I have provided can deal with both formats. It now can deal with blowfish (blf) format.

---

Sources you will need:
Cyrus-Sasl 2.1.21

---

Assumptions:
- You should have MySQL up and running.
- My 'configure' settings have BerkeleyDB 4.4.20 (SleepyCat) installed.
- You should have Cyrus IMAPD 2.3.1 installed using SASL. Should also work with 2.2.8 and above but don't hold me to that.

---

Step 1 - Install this patch:
After unzipping and untarring the source, cd into the source and run the patch:

# tar xzvf cyrus-sasl-2.1.21.tar.gz # cd cyrus-sasl-2.1.21 # patch < /tmp/patch (or wherever you downloaded the patch)

For all you Linux folks who asked for this, here ya go: Install this patch:

# tar xzvf cyrus-sasl-2.1.21.tar.gz # cd cyrus-sasl-2.1.21 # patch < /tmp/patch-linux (or wherever you downloaded the patch)

---

Step 2 - Run 'configure' with certain C flags:
Run 'configure' with the following C flags and settings. (Obviously, not all of these will be the same for you. So alter settings and paths according to your setup.) I normally put this in a file, and then 'sh filename':

env \ CPPFLAGS="-I/usr/local/services/mysql/include/mysql \ -I/usr/local/devel/db/include" \ LDFLAGS="-L/usr/local/services/mysql/lib/mysql \ -R/usr/local/services/mysql/lib/mysql \ -L/usr/local/devel/db/lib \ -R/usr/local/devel/db/lib \ -ldb -lmysqlclient -lcrypt -ldb" \ ./configure \ --prefix=/usr/local/services/cyrus_sasl-2.1.21 \ --disable-cmulocal \ --enable-sample \ --enable-static=no \ --enable-shared=yes \ --enable-fast-install=yes \ --without-gnu-ld \ --disable-libtool-lock \ --enable-staticdlopen=no \ --without-purecov \ --without-purify \ --enable-java=no \ --with-javabase=no \ --without-dbpath \ --with-dblib=none \ --with-bdb-libdir=/usr/local/devel/db/lib \ --with-bdb-incdir=/usr/local/devel/db/include \ --with-gdbm=no \ --with-pam=no \ --with-saslauthd=no \ --with-pwcheck=no \ --with-ipctype=unix \ --disable-alwaystrue \ --disable-checkapop \ --disable-cram \ --with-des=yes \ --disable-digest \ --with-openssl=/usr/local/devel/openssl \ --disable-otp \ --with-opie=no \ --disable-srp \ --disable-srp-setpass \ --disable-krb4 \ --disable-gssapi \ --enable-plain \ --disable-anon \ --disable-login \ --disable-ntlm \ --with-ldap=no \ --enable-sql \ --with-mysql=/usr/local/services/mysql \ --with-plugindir=/usr/local/services/cyrus_sasl-2.1.21/plugins \ --with-rc4 \ --without-dmalloc \ --without-sfio

---

Step 3 - make, make install and other commands

# make # make install

These next commands help with ldconfig if you chose to locate SASL in the same prefix as I, '/usr/local/services/cyrus_sasl-2.1.21':

# cd [your prefix dir] # ln -vs ./lib/sasl2 plugins # cd lib # ln -vs sasl2/* . # ldconfig -m [prefix]/lib

And don't forget to add your prefix to the ldconfig section of /etc/rc.conf.

---

Step 4 - Use with Cyrus IMAPD:
Now to test it to see if it worked, you should add the following lines to your imapd.conf file:

sasl_pwcheck_method: auxprop sasl_auxprop_plugin: sql sasl_sql_engine: mysql sasl_mech_list: login plain sasl_sql_hostnames: localhost sasl_sql_user: cyrus sasl_sql_passwd: YourPassWordHere sasl_sql_database: userdatabase sasl_sql_verbose: yes sasl_sql_select: SELECT password FROM accounts WHERE userid = '%u'

---

Step 5 - Testing with Cyrus IMAPD:
Now to test it to see if it worked, you should start the imapd server (master), and run the following commands to connect to the IMAP server. If it installed correctly, you should also get the following output as well:

# telnet localhost imap Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. * OK anyuniversity.com Cyrus IMAP4 v2.2.3 server ready o login testuser testpassword <-- YOUR INPUT o OK User logged in o logout <-- YOUR INPUT * BYE LOGOUT received o OK Completed Connection closed by foreign host.

If problems occured, you should check your mysql access logs to see what/if SQL statement was sent.

---

---

Addendum:
Mon Apr 21 09:40:49 PDT 2003
An anonymous email sent to me stated that it was bad that I didn't include a way to have it check for plain text passwords. I didn't include this because I am never going to store plain text passwords in my MySQL database. That would break quite a bit of other services on my systems.
Mon Aug 9 00:23:35 PDT 2004
It's my standard practice to never store passwords or search for passwords in clear-text anywhere on any of the systems I work with.

http://www.readaccess.co ... sasl-mysql-encrypt/

Conclusion:
A note on the patch: The patch has the use of strlcpy. This may be a FreeBSD thing and the OS you are using may not know of this function. If so, just replace it with strncpy.

You may have noticed that I used the 'PLAIN' authentication. This is used in conjuction with TLS/SSL. I HIGHLY SUGGEST YOU DO THE SAME TO PREVENT PLAIN TEXT PASSWORDS FROM CROSSING THE NET. You never know who's looking until it's too late.

This is what I got to work for me. If you are still having problems, or you have questions about this doc, just let me know.