Multiple-Mechanism Sample Code?

Henry B. Hotz hotz at jpl.nasa.gov
Sun Dec 31 12:52:13 EST 2006 

Thanks!

On Dec 31, 2006, at 1:18 AM, Alexey Melnikov wrote:

> Henry B. Hotz wrote:
>> On Dec 18, 2006, at 2:12 PM, Alexey Melnikov wrote:
>>> Henry B. Hotz wrote:
>>>> The published sample code seems to only try the first mechanism  
>>>> and  then quit.  I'm told the "correct" way to do SASL is to try  
>>>> all the  mechanisms (or at least all the ones supported) and  
>>>> don't quit until  you've tried them all.  Is there any example  
>>>> code that illustrates this?
>>> (I wanted to point you to Cyrus imtest, but it doesn't do that).
>> It's worse than that.  |-(
>>
>> I kept looking after I posted that note, and I haven't even found  
>> any suggestion that it was feasible beyond Simon Wilkinson's  
>> comment at the UMich workshop.
>>
>> In a(n admitedly limited) test calling sasl_client_start multiple  
>> times with the same mechanism list always results in the same  
>> mechanism being chosen.  This seems to mean that you need to  
>> duplicate the list parsing code in your app and keep track of the  
>> untried mechanisms yourself.
> This is correct.
>> It also means I need to play games in order to avoid prompting the  
>> user for a username once for each mechanism that I try.
> I think this can be done using the interaction callback.
>> Now that I'm trying to actually use the API there are a number of  
>> other things that seem awkward as well, but that's OT.
>>> In general, I think a well written SASL client should behave as  
>>> follows:
>>>
>>> It should sort SASL mechanisms that both client and server  
>>> support by their "strength" or features recognized by the client.  
>>> For SASL mechanisms with equal strength the order used by the  
>>> server can be used.
>> How *does* the server order them?
>>
>> Putting "GSSAPI ANONYMOUS" in the config file results in the same  
>> list.  Putting "GSSAPI PLAIN" in the config file results in "PLAIN  
>> GSSAPI" from sasl_listmech().  Whyzzat?
> The server uses the order in which plugins were loaded from disk.
>> I don't think I'm supposed to care about the ordering.  The  
>> security considerations section of the SASL RFC says the mechanism  
>> is negotiated in the clear, and you should expect that a 3rd party  
>> may modify it.
> Right.
>> That means that *any* mechanism accepted by the server or client  
>> under any circumstances had better be "good enough".  That said I  
>> would much prefer GSSAPI/Krb5 to a mechanism that requires me to  
>> type in stuff.
>>> The client starts iterating through the ordered list, starting  
>>> from the strongest mechanism. It tries the mechanism. If  
>>> authentication succeeds - success. If not, the client may retry  
>>> the mechanism (e.g. if the server returned an indication that the  
>>> password is incorrect) several times, say 3 times. After that the  
>>> client should move on to the next strongest SASL mechanism and so  
>>> on.
>> Since the password prompt is very early after you start the client  
>> I don't think it's a big deal to just start the client over again.
> I would disagree if we are talking about a GUI client ;-).
> I wouldn't like to restart Thunderbird every time I mistype  
> password :-)
>> (Usually, not always!)
>>> There are of course some complications. Some SASL mechanisms that  
>>> can potentially be stronger can end up being weaker, because of  
>>> the options that the server supports.

------------------------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu

More information about the Cyrus-sasl mailing list