<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html401/loose.dtd">
<html>
<!-- Created on September, 10 2009 by texi2html 1.78 -->
<!--
Written by: Lionel Cons <Lionel.Cons@cern.ch> (original author)
Karl Berry <karl@freefriends.org>
Olaf Bachmann <obachman@mathematik.uni-kl.de>
and many others.
Maintained by: Many creative people.
Send bugs and suggestions to <texi2html-bug@nongnu.org>
-->
<head>
<title>Specification of the Exim Mail Transfer Agent: 35. The cram_md5 authenticator</title>
<meta name="description" content="Specification of the Exim Mail Transfer Agent: 35. The cram_md5 authenticator">
<meta name="keywords" content="Specification of the Exim Mail Transfer Agent: 35. The cram_md5 authenticator">
<meta name="resource-type" content="document">
<meta name="distribution" content="global">
<meta name="Generator" content="texi2html 1.78">
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<style type="text/css">
<!--
a.summary-letter {text-decoration: none}
pre.display {font-family: serif}
pre.format {font-family: serif}
pre.menu-comment {font-family: serif}
pre.menu-preformatted {font-family: serif}
pre.smalldisplay {font-family: serif; font-size: smaller}
pre.smallexample {font-size: smaller}
pre.smallformat {font-family: serif; font-size: smaller}
pre.smalllisp {font-size: smaller}
span.roman {font-family:serif; font-weight:normal;}
span.sansserif {font-family:sans-serif; font-weight:normal;}
ul.toc {list-style: none}
-->
</style>
</head>
<body lang="en" bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#800080" alink="#FF0000">
<a name="The-cram_005fmd5-authenticator"></a>
<a name="SEC285"></a>
<table cellpadding="1" cellspacing="1" border="0">
<tr><td valign="middle" align="left">[<a href="spec_34.html#SEC284" title="Previous section in reading order"> < </a>]</td>
<td valign="middle" align="left">[<a href="#SEC286" title="Next section in reading order"> > </a>]</td>
<td valign="middle" align="left"> </td>
<td valign="middle" align="left">[<a href="spec_34.html#SEC278" title="Beginning of this chapter or previous chapter"> << </a>]</td>
<td valign="middle" align="left">[<a href="spec.html#SEC_Top" title="Up section"> Up </a>]</td>
<td valign="middle" align="left">[<a href="spec_36.html#SEC288" title="Next chapter"> >> </a>]</td>
<td valign="middle" align="left"> </td>
<td valign="middle" align="left"> </td>
<td valign="middle" align="left"> </td>
<td valign="middle" align="left"> </td>
<td valign="middle" align="left">[<a href="spec.html#SEC_Top" title="Cover (top) of document">Top</a>]</td>
<td valign="middle" align="left">[Contents]</td>
<td valign="middle" align="left">[<a href="spec_55.html#SEC493" title="Index">Index</a>]</td>
<td valign="middle" align="left">[<a href="spec_abt.html#SEC_About" title="About (help)"> ? </a>]</td>
</tr></table>
<h1 class="chapter"> 35. The cram_md5 authenticator </h1>
<p>The CRAM-MD5 authentication mechanism is described in RFC 2195. The server
sends a challenge string to the client, and the response consists of a user
name and the CRAM-MD5 digest of the challenge string combined with a secret
string (password) which is known to both server and client. Thus, the secret
is not sent over the network as plain text, which makes this authenticator more
secure than <code>plaintext</code>. However, the downside is that the secret has to be
available in plain text at either end.
</p>
<table class="menu" border="0" cellspacing="0">
<tr><td align="left" valign="top"><a href="#SEC286">35.1 Using cram_md5 as a server</a></td><td> </td><td align="left" valign="top">
</td></tr>
<tr><td align="left" valign="top"><a href="#SEC287">35.2 Using cram_md5 as a client</a></td><td> </td><td align="left" valign="top">
</td></tr>
</table>
<hr size="6">
<a name="Using-cram_005fmd5-as-a-server"></a>
<a name="SEC286"></a>
<table cellpadding="1" cellspacing="1" border="0">
<tr><td valign="middle" align="left">[<a href="#SEC285" title="Previous section in reading order"> < </a>]</td>
<td valign="middle" align="left">[<a href="#SEC287" title="Next section in reading order"> > </a>]</td>
<td valign="middle" align="left"> </td>
<td valign="middle" align="left">[<a href="#SEC285" title="Beginning of this chapter or previous chapter"> << </a>]</td>
<td valign="middle" align="left">[<a href="#SEC285" title="Up section"> Up </a>]</td>
<td valign="middle" align="left">[<a href="spec_36.html#SEC288" title="Next chapter"> >> </a>]</td>
<td valign="middle" align="left"> </td>
<td valign="middle" align="left"> </td>
<td valign="middle" align="left"> </td>
<td valign="middle" align="left"> </td>
<td valign="middle" align="left">[<a href="spec.html#SEC_Top" title="Cover (top) of document">Top</a>]</td>
<td valign="middle" align="left">[Contents]</td>
<td valign="middle" align="left">[<a href="spec_55.html#SEC493" title="Index">Index</a>]</td>
<td valign="middle" align="left">[<a href="spec_abt.html#SEC_About" title="About (help)"> ? </a>]</td>
</tr></table>
<h2 class="section"> 35.1 Using cram_md5 as a server </h2>
<p>This authenticator has one server option, which must be set to configure the
authenticator as a server:
</p>
<a name="IDX2438"></a>
<table>
<tr><td>
<p><code>server_secret</code></p></td><td><p> Use: <em>cram_md5</em></p></td><td><p> Type: <em>string</em>*<em></em></p></td><td><p> Default: <em>unset</em>
</p></td></tr>
</table>
<a name="IDX2439"></a>
<p>When the server receives the client's response, the user name is placed in
the expansion variable <code>$auth1</code>, and <code>server_secret</code> is expanded to
obtain the password for that user. The server then computes the CRAM-MD5 digest
that the client should have sent, and checks that it received the correct
string. If the expansion of <code>server_secret</code> is forced to fail, authentication
fails. If the expansion fails for some other reason, a temporary error code is
returned to the client.
</p>
<p>For compatibility with previous releases of Exim, the user name is also placed
in <code>$1</code>. However, the use of this variables for this purpose is now
deprecated, as it can lead to confusion in string expansions that also use
numeric variables for other things.
</p>
<p>For example, the following authenticator checks that the user name given by the
client is "ph10", and if so, uses "secret" as the password. For any other
user name, authentication fails.
</p>
<table><tr><td> </td><td><pre class="example">fixed_cram:
driver = cram_md5
public_name = CRAM-MD5
server_secret = ${if eq{$auth1}{ph10}{secret}fail}
server_set_id = $auth1
</pre></td></tr></table>
<a name="IDX2440"></a>
<p>If authentication succeeds, the setting of <code>server_set_id</code> preserves the user
name in <code>$authenticated_id</code>. A more typical configuration might look up the
secret string in a file, using the user name as the key. For example:
</p>
<table><tr><td> </td><td><pre class="example">lookup_cram:
driver = cram_md5
public_name = CRAM-MD5
server_secret = ${lookup{$auth1}lsearch{/etc/authpwd}\
{$value}fail}
server_set_id = $auth1
</pre></td></tr></table>
<p>Note that this expansion explicitly forces failure if the lookup fails
because <code>$auth1</code> contains an unknown user name.
</p>
<hr size="6">
<a name="Using-cram_005fmd5-as-a-client"></a>
<a name="SEC287"></a>
<table cellpadding="1" cellspacing="1" border="0">
<tr><td valign="middle" align="left">[<a href="#SEC286" title="Previous section in reading order"> < </a>]</td>
<td valign="middle" align="left">[<a href="spec_36.html#SEC288" title="Next section in reading order"> > </a>]</td>
<td valign="middle" align="left"> </td>
<td valign="middle" align="left">[<a href="#SEC285" title="Beginning of this chapter or previous chapter"> << </a>]</td>
<td valign="middle" align="left">[<a href="#SEC285" title="Up section"> Up </a>]</td>
<td valign="middle" align="left">[<a href="spec_36.html#SEC288" title="Next chapter"> >> </a>]</td>
<td valign="middle" align="left"> </td>
<td valign="middle" align="left"> </td>
<td valign="middle" align="left"> </td>
<td valign="middle" align="left"> </td>
<td valign="middle" align="left">[<a href="spec.html#SEC_Top" title="Cover (top) of document">Top</a>]</td>
<td valign="middle" align="left">[Contents]</td>
<td valign="middle" align="left">[<a href="spec_55.html#SEC493" title="Index">Index</a>]</td>
<td valign="middle" align="left">[<a href="spec_abt.html#SEC_About" title="About (help)"> ? </a>]</td>
</tr></table>
<h2 class="section"> 35.2 Using cram_md5 as a client </h2>
<p>When used as a client, the <code>cram_md5</code> authenticator has two options:
</p>
<a name="IDX2441"></a>
<table>
<tr><td>
<p><code>client_name</code></p></td><td><p> Use: <em>cram_md5</em></p></td><td><p> Type: <em>string</em>*<em></em></p></td><td><p> Default: <em>the primary host name</em>
</p></td></tr>
</table>
<p>This string is expanded, and the result used as the user name data when
computing the response to the server's challenge.
</p>
<a name="IDX2442"></a>
<table>
<tr><td>
<p><code>client_secret</code></p></td><td><p> Use: <em>cram_md5</em></p></td><td><p> Type: <em>string</em>*<em></em></p></td><td><p> Default: <em>unset</em>
</p></td></tr>
</table>
<p>This option must be set for the authenticator to work as a client. Its value is
expanded and the result used as the secret string when computing the response.
</p>
<a name="IDX2443"></a>
<a name="IDX2444"></a>
<p>Different user names and secrets can be used for different servers by referring
to <code>$host</code> or <code>$host_address</code> in the options. Forced failure of either
expansion string is treated as an indication that this authenticator is not
prepared to handle this case. Exim moves on to the next configured client
authenticator. Any other expansion failure causes Exim to give up trying to
send the message to the current server.
</p>
<p>A simple example configuration of a <code>cram_md5</code> authenticator, using fixed
strings, is:
</p>
<table><tr><td> </td><td><pre class="example">fixed_cram:
driver = cram_md5
public_name = CRAM-MD5
client_name = ph10
client_secret = secret
</pre></td></tr></table>
<a name="IDX2445"></a>
<a name="IDX2446"></a>
<hr size="6">
<table cellpadding="1" cellspacing="1" border="0">
<tr><td valign="middle" align="left">[<a href="#SEC285" title="Beginning of this chapter or previous chapter"> << </a>]</td>
<td valign="middle" align="left">[<a href="spec_36.html#SEC288" title="Next chapter"> >> </a>]</td>
<td valign="middle" align="left"> </td>
<td valign="middle" align="left"> </td>
<td valign="middle" align="left"> </td>
<td valign="middle" align="left"> </td>
<td valign="middle" align="left"> </td>
<td valign="middle" align="left">[<a href="spec.html#SEC_Top" title="Cover (top) of document">Top</a>]</td>
<td valign="middle" align="left">[Contents]</td>
<td valign="middle" align="left">[<a href="spec_55.html#SEC493" title="Index">Index</a>]</td>
<td valign="middle" align="left">[<a href="spec_abt.html#SEC_About" title="About (help)"> ? </a>]</td>
</tr></table>
<p>
<font size="-1">
This document was generated on <i>September, 10 2009</i> using <a href="http://www.nongnu.org/texi2html/"><i>texi2html 1.78</i></a>.
</font>
<br>
</p>
</body>
</html>
distrib
>
Mandriva
>
2010.0
>
i586
>
media
>
contrib-release
>
by-pkgid
>
a4080654d049ad31b216b761b9173c1f
>
files
>
138
