has the clear field in the user table been obsoleted
18 views
Skip to first unread message
Matt Darcy
Sep 7, 2015, 4:53:47 PM9/7/15
to vexim
I've migrated users from a much older vexim build to a new current vexim build.
the siteadmin user has a "clear" entry in the user table, but all the other users have a "NULL" entry in the clear field, they do have a crypt entry.
I can see the logic behind this as storing the password in clear text is a risk, but is this now a hardcoded option that clear is not used by design ?
thanks,
Matt
Rimas Kudelis
Sep 8, 2015, 2:25:12 PM9/8/15
to ve...@googlegroups.com
Hi Matt!
Yes, this is by design. The idea is that if you absolutely have to use
clear-text field for some kind of auth, then having an encrypted version
of it as well adds very little value, while on the other hand storing
the password in clear-text when all you use is the encrypted version is
not desirable at all. You can configure Vexim to store unencrypted
passwords in the crypt field now, if that is what you need.
Btw siteadmin shouldn't have the clear field filled in either, although
I guess we haven't updated our db dump to not include it yet...
Hope this helps,
Rimas
On 2015 m. rugsėjis 7 d. 23:53:47 EEST, Matt Darcy
Yes, this is by design. The idea is that if you absolutely have to use
clear-text field for some kind of auth, then having an encrypted version
of it as well adds very little value, while on the other hand storing
the password in clear-text when all you use is the encrypted version is
not desirable at all. You can configure Vexim to store unencrypted
passwords in the crypt field now, if that is what you need.
Btw siteadmin shouldn't have the clear field filled in either, although
I guess we haven't updated our db dump to not include it yet...
Hope this helps,
Rimas
On 2015 m. rugsėjis 7 d. 23:53:47 EEST, Matt Darcy
Matt Darcy
Sep 9, 2015, 8:28:46 AM9/9/15
to vexim
This is very useful stuff, it means I'll have to re-write the dovecot or courier interface scripts from the old vexim cookbook as they rely on that clear field to auth. So it's good to find this out now and fix it sooner rather than later.
would it not be wise to actually remove the "clear" field totally from the db dump, as you say, it looks like siteadmin is the only thing that gets populated into the clear field, so it doesn't look like there is a lot to pull.
Good feedback, thank you.
Avleen Vig
Sep 9, 2015, 8:51:40 AM9/9/15
to Matt Darcy, vexim
Very nice folks!
I think as a medium term plan, removing clear as a field is good from a security perspective. Everything should work without it. And if not, we should ask why not :)
Rimas Kudelis
Sep 11, 2015, 2:48:31 PM9/11/15
to ve...@googlegroups.com
Hi all,
heads up: I've just merged a PR which removes the clear field and makes
the crypt field bigger (this is needed to accommodate passwords
encrypted using more advanced ciphers).
Clear field is now officially dead! :)
Rimas
heads up: I've just merged a PR which removes the clear field and makes
the crypt field bigger (this is needed to accommodate passwords
encrypted using more advanced ciphers).
Clear field is now officially dead! :)
Rimas
Avleen Vig
Sep 11, 2015, 10:34:55 PM9/11/15
to Rimas Kudelis, ve...@googlegroups.com
YEAH!!!
Rimas ftw :-
Reply all
Reply to author
Forward
0 new messages