Multiple-Mechanism Sample Code?

Dave Cridland dave at cridland.net
Tue Dec 19 04:23:11 EST 2006


On Mon Dec 18 22:12:03 2006, Alexey Melnikov wrote:
> Henry B. Hotz wrote:
> 
>> The published sample code seems to only try the first mechanism 
>> and  then quit.  I'm told the "correct" way to do SASL is to try 
>> all the  mechanisms (or at least all the ones supported) and don't 
>> quit until  you've tried them all.  Is there any example code that 
>> illustrates this?
> 
> (I wanted to point you to Cyrus imtest, but it doesn't do that).
> 
> In general, I think a well written SASL client should behave as 
> follows:
> 
> It should sort SASL mechanisms that both client and server support 
> by their "strength" or features recognized by the client. For SASL 
> mechanisms with equal strength the order used by the server can be 
> used.
> The client starts iterating through the ordered list, starting from 
> the strongest mechanism. It tries the mechanism. If authentication 
> succeeds - success. If not, the client may retry the mechanism 
> (e.g. if the server returned an indication that the password is 
> incorrect) several times, say 3 times. After that the client should 
> move on to the next strongest SASL mechanism and so on.
> 
> There are of course some complications. Some SASL mechanisms that 
> can potentially be stronger can end up being weaker, because of the 
> options that the server supports.
> 
> 
There are more complications than that - some protocols give you a 
fairly wide set of protocol-level data about why a SASL exchange 
failed, others don't. For example, IMAP will give you a pretty simple 
"NO" for any failure at all, whereas ACAP will tell you rather more, 
such as AUTH-TOO-WEAK, ENCRYPT-NEEDED, TRANSITION-NEEDED, etc, which 
can be used by the client to figure out what the next action should 
be.

Also, you need to add TLS into the mix, too - which is in itself 
negotiated, of course, and will probably change the advertised 
mechanisms.

As a for-example, a ACAP client might initially try DIGEST-MD5, 
cancel it partway through because no encryption was supported, use 
STARTTLS, try DIGEST-MD5, fail due to a TRANSITION-NEEDED code, and 
use PLAIN.

An IMAP client in more or less tha same situation has longer to go, 
because it doesn't get the TRANSITION-NEEDED code, and therefore has 
no idea if it should retry DIGEST-MD5 a few times, or try a different 
mechanism.

As if anyone needed *more* reasons to use ACAP. :-)

Dave.
-- 
Dave Cridland - mailto:dave at cridland.net - xmpp:dwd at jabber.org
  - acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
  - http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade


More information about the Cyrus-sasl mailing list