Cyrus saslauthd shadow

Dan White dwhite at olp.net
Fri Aug 26 11:42:31 EDT 2011 

On 26/08/11 15:10 +0000, Grant Delaney wrote:
>Hi All
>
>I have found an issue with saslauthd, it appears to let a user authenticate with any password if the users password is blank in the /etc/shadow file on the smtp service.
>
>Environment:
>
>Opensuse 11.4
>rpm -qa cyrus-sasl
>cyrus-sasl-2.1.23-15.1.x86_64
>
>#/etc/sysconfig/saslauthd
>SASLAUTHD_AUTHMECH=shadow
>
># id sasltest
>uid=1001(sasltest) gid=100(users) groups=33(video),100(users)
>
>
># testsaslauthd -u sasltest -p test  -s smtp
>0: OK "Success."
>
># testsaslauthd -u sasltest -p wrongtest  -s smtp
>0: NO "authentication failed"
>
># grep sasltest /etc/shadow
>sasltest:$2y$10$RlSnCi99SDDFguMNk.rhcurpXphwm.NA9121vnVFi5RqzgmruFKye:15212:0:99999:7:::
>
>Now if I remove the password in the shadow file.
>
># grep sasltest /etc/shadow
>sasltest::15212:0:99999:7:::
>
> # testsaslauthd -u sasltest -p test  -s smtp
>0: OK "Success."
>
># testsaslauthd -u sasltest -p wrongtest  -s smtp
>0: OK "Success."
>
># testsaslauthd -u sasltest -p icanputanythingIwanthere  -s smtp
>0: OK "Success."
>
>Is this the expected result when using shadow as the auth mech ?
>
>I know the solution is not to use blank passwords, but I would expect it to fail because you supplied a password when it does not have one or not allow a blank password. Recently had a customer being used as a spam relay because of this. I have already explained that blank passwords are a bad idea.
>
>Regards
>Grant
>
>
>
>Grant Delaney
>Linux Administrator III [experience Fanatical Support]
>
>Tel:    +442087342500
>Fax:    +44 20 8606 6110
>Web:    www.rackspace.co.uk<www.rackspace.co.ukhttp://www.rackspace.co.uk>
>        [Rackspace]

I can confirm this using a SASL CVS checkout from 2011-05-23 (I'm using a
Debian patched install).

The issue affects both the getpwent and shadow backends. I could not
trigger the problem using the pam backend. I have not tested any of the
other backends.

With an empty passwd in /etc/shadow (or /etc/passwd with the getpwent
backend), I cannot actually authenticate with a blank password:

testsaslauthd -u testuser -p ""

but any other password succeeds.

-- 
Dan White

More information about the Cyrus-devel mailing list