Cyrus saslauthd shadow

Grant Delaney Grant.Delaney at rackspace.co.uk
Fri Aug 26 11:10:23 EDT 2011


Hi All

I have found an issue with saslauthd, it appears to let a user authenticate with any password if the users password is blank in the /etc/shadow file on the smtp service.

Environment:

Opensuse 11.4
rpm -qa cyrus-sasl
cyrus-sasl-2.1.23-15.1.x86_64

#/etc/sysconfig/saslauthd
SASLAUTHD_AUTHMECH=shadow

# id sasltest
uid=1001(sasltest) gid=100(users) groups=33(video),100(users)


# testsaslauthd -u sasltest -p test  -s smtp
0: OK "Success."

# testsaslauthd -u sasltest -p wrongtest  -s smtp
0: NO "authentication failed"

# grep sasltest /etc/shadow
sasltest:$2y$10$RlSnCi99SDDFguMNk.rhcurpXphwm.NA9121vnVFi5RqzgmruFKye:15212:0:99999:7:::

Now if I remove the password in the shadow file.

# grep sasltest /etc/shadow
sasltest::15212:0:99999:7:::

 # testsaslauthd -u sasltest -p test  -s smtp
0: OK "Success."

# testsaslauthd -u sasltest -p wrongtest  -s smtp
0: OK "Success."

# testsaslauthd -u sasltest -p icanputanythingIwanthere  -s smtp
0: OK "Success."

Is this the expected result when using shadow as the auth mech ?

I know the solution is not to use blank passwords, but I would expect it to fail because you supplied a password when it does not have one or not allow a blank password. Recently had a customer being used as a spam relay because of this. I have already explained that blank passwords are a bad idea.

Regards
Grant



Grant Delaney
Linux Administrator III [experience Fanatical Support]

Tel:    +442087342500
Fax:    +44 20 8606 6110
Web:    www.rackspace.co.uk<www.rackspace.co.ukhttp://www.rackspace.co.uk>
        [Rackspace]

[Follow us on twitter]<http://www.twitter.com/rackspaceemea/>





Rackspace Limited, Unit 5, Millington Road, Hayes, UB3 4AZ | Company No. 03897010

Confidentiality Notice: This e-mail message (including any attached or
embedded documents) is intended for the exclusive and confidential use of the
individual or entity to which this message is addressed, and unless otherwise
expressly indicated, is confidential and privileged information of Rackspace.
Any dissemination, distribution or copying of the enclosed material is prohibited.
If you receive this transmission in error, please notify us immediately by e-mail
at abuse at rackspace.com, and delete the original message.
Your cooperation is appreciated.

This email may include confidential information. If you received it in error, please delete it.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.andrew.cmu.edu/pipermail/cyrus-devel/attachments/20110826/de6c4dba/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: imagef8af27.JPG
Type: image/jpeg
Size: 2877 bytes
Desc: imagef8af27.JPG
Url : http://lists.andrew.cmu.edu/pipermail/cyrus-devel/attachments/20110826/de6c4dba/attachment-0005.jpe 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image589d03.JPG
Type: image/jpeg
Size: 990 bytes
Desc: image589d03.JPG
Url : http://lists.andrew.cmu.edu/pipermail/cyrus-devel/attachments/20110826/de6c4dba/attachment-0006.jpe 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image40c8b5.JPG
Type: image/jpeg
Size: 8223 bytes
Desc: image40c8b5.JPG
Url : http://lists.andrew.cmu.edu/pipermail/cyrus-devel/attachments/20110826/de6c4dba/attachment-0007.jpe 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: imageb806e4.JPG
Type: image/jpeg
Size: 2713 bytes
Desc: imageb806e4.JPG
Url : http://lists.andrew.cmu.edu/pipermail/cyrus-devel/attachments/20110826/de6c4dba/attachment-0008.jpe 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image48ea41.JPG
Type: image/jpeg
Size: 1074 bytes
Desc: image48ea41.JPG
Url : http://lists.andrew.cmu.edu/pipermail/cyrus-devel/attachments/20110826/de6c4dba/attachment-0009.jpe 


More information about the Cyrus-devel mailing list