File: spec_37.html

package info (click to toggle)
exim-html 3.20-1
  • links: PTS
  • area: main
  • in suites: etch, etch-m68k, sarge, woody
  • size: 2,868 kB
  • ctags: 4,188
  • sloc: makefile: 40; sh: 19
file content (152 lines) | stat: -rw-r--r-- 4,221 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
 
<HTML>
<HEAD>
<!-- This HTML file has been created by texi2html 1.52
     from spec on 25 November 2000 -->

<TITLE>Exim Specification - 37. The cram_md5 authenticator</TITLE>
</HEAD>
<body bgcolor="#FFFFFF" text="#00005A" link="#FF6600" alink="#FF9933" vlink="#990000">
Go to the <A HREF="spec_1.html">first</A>, <A HREF="spec_36.html">previous</A>, <A HREF="spec_38.html">next</A>, <A HREF="spec_59.html">last</A> section, <A HREF="spec_toc.html">table of contents</A>.
<P><HR><P>


<H1><A NAME="SEC766" HREF="spec_toc.html#TOC766">37. The cram_md5 authenticator</A></H1>
<P>
<A NAME="IDX1696"></A>
The CRAM-MD5 authentication mechanism is described in RFC 2195. The server
sends a `challenge' string to the client, and the response consists of a `user
name' and the CRAM-MD5 digest of the challenge string combined with a secret
string (password) which is known to both server and client. Thus the secret
does not get sent over the network as plain text, which makes this
authenticator more secure than <EM>plaintext</EM>.

</P>

<P>



<H2><A NAME="SEC767" HREF="spec_toc.html#TOC767">37.1 Using cram_md5 as a server</A></H2>

<P>
This authenticator has one server option, which must be set to configure the
authenticator as a server.

</P>

<P>

<P>
<A NAME="IDX1697"></A>


<H3><A NAME="SEC768" HREF="spec_toc.html#TOC768">server_secret (cram_md5)</A></H3>

<P>
Type: string, expanded<BR>
Default: unset

</P>
<P>
When the server receives the client's response, the `user name' is placed in
the expansion variable $<EM>1</EM>, and <EM>server_secret</EM> is expanded to obtain the
password for that user. The server then computes the CRAM-MD5 digest that the
client should have sent, and checks that it received the correct string. If the
expansion of <EM>server_secret</EM> is forced to fail, authentication fails. If the
expansion fails for some other reason, a temporary error code is returned to
the client.

</P>

<P>
For example, the following authenticator checks that the user name given by the
client is `ph10', and if so, uses `secret' as the password. For any other user
name, authentication fails. A more sophisticated version might look up the
secret string in a file, using the user name as the key.

<PRE>
fixed_cram:
  driver = cram_md5
  public_name = CRAM-MD5
  server_secret = ${if eq{$1}{ph10}{secret}fail}
  server_set_id = $1
</PRE>

<P>
If authentication succeeds, the setting of <EM>server_set_id</EM> preserves the user
name in $<EM>authenticated_id</EM>.

</P>



<H2><A NAME="SEC769" HREF="spec_toc.html#TOC769">37.2 Using cram_md5 as a client</A></H2>

<P>
When used as a client, the <EM>cram_md5</EM> authenticator has two options:

</P>

<P>

<P>
<A NAME="IDX1698"></A>


<H3><A NAME="SEC770" HREF="spec_toc.html#TOC770">client_name (cram_md5)</A></H3>

<P>
Type: string, expanded<BR>
Default: the primary host name

</P>
<P>
This string is expanded, and the result used as the `user name' data when
computing the response to the server's challenge.

</P>
<P>
<A NAME="IDX1699"></A>


<H3><A NAME="SEC771" HREF="spec_toc.html#TOC771">client_secret (cram_md5)</A></H3>

<P>
Type: string, expanded<BR>
Default: unset

</P>
<P>
This option must be set for the authenticator to work as a client. Its value is
expanded and the result used as the secret string when computing the response.

</P>

<P>
Different user names and secrets can be used for different servers by referring
to $<EM>host</EM> or $<EM>host_address</EM> in the options.

</P>
<P>
Forced failure of either expansion string is treated as an indication that this
authenticator is not prepared to handle this case. Exim moves on to the next
configured client authenticator. Any other expansion failure causes Exim to
give up trying to send the message to the current server.

</P>
<P>
A simple example configuration of a <EM>cram_md5</EM> authenticator, using fixed
strings, is:

<PRE>
fixed_cram:
  driver = cram_md5
  public_name = CRAM-MD5
  client_name = ph10
  client_secret = secret
</PRE>

<P><HR><P>
Go to the <A HREF="spec_1.html">first</A>, <A HREF="spec_36.html">previous</A>, <A HREF="spec_38.html">next</A>, <A HREF="spec_59.html">last</A> section, <A HREF="spec_toc.html">table of contents</A>.
</BODY>
</HTML>