Multiple-Mechanism Sample Code?
Henry B. Hotz
hotz at jpl.nasa.gov
Tue Jan 2 21:09:31 EST 2007
The SASL API is already pretty complex for what it does IMO. (Why
isn't there a call that does both sasl_client_init() and
sasl_client_new()? Why does every app need 10++ lines in front of
sasl_{client,server}_new() to do two getnameinfo()'s and two
snprintf's, instead of just handing over the sockaddr's? Why. . . ?
Obviously, I'm still getting familiar with things.)
Unless you can tell me that there is a properly-documented API for an
ACAP library that's deployed on as many platforms (including Java) as
SASL already is, *AND* that it's no harder to write/modify an
application to use ACAP than it is to use SASL, then I'm not
interested. Sorry. You're welcome to try to convince me, but it
sounds off-topic for this list.
In my current experiments Cyrus SASL doesn't appear to work when you
call sasl_client_start() with the second mechanism to try. There are
a lot of variables here, and a better-than-even chance the problem is
in my code, not the library. Once I have something properly working
I'll revisit this issue. I gather you're claiming that ACAP solves
this (and other) problems. See above.
Hopefully I can provide a better SASL example than the one currently
circulating. The one in the current distribution is really an option
test rig. The older example is better for someone figuring out how
to write a SASL-ized application.
On Dec 19, 2006, at 1:23 AM, Dave Cridland wrote:
> On Mon Dec 18 22:12:03 2006, Alexey Melnikov wrote:
>> Henry B. Hotz wrote:
>>> The published sample code seems to only try the first mechanism
>>> and then quit. I'm told the "correct" way to do SASL is to try
>>> all the mechanisms (or at least all the ones supported) and
>>> don't quit until you've tried them all. Is there any example
>>> code that illustrates this?
>> (I wanted to point you to Cyrus imtest, but it doesn't do that).
>> In general, I think a well written SASL client should behave as
>> follows:
>> It should sort SASL mechanisms that both client and server support
>> by their "strength" or features recognized by the client. For SASL
>> mechanisms with equal strength the order used by the server can be
>> used.
>> The client starts iterating through the ordered list, starting
>> from the strongest mechanism. It tries the mechanism. If
>> authentication succeeds - success. If not, the client may retry
>> the mechanism (e.g. if the server returned an indication that the
>> password is incorrect) several times, say 3 times. After that the
>> client should move on to the next strongest SASL mechanism and so on.
>> There are of course some complications. Some SASL mechanisms that
>> can potentially be stronger can end up being weaker, because of
>> the options that the server supports.
> There are more complications than that - some protocols give you a
> fairly wide set of protocol-level data about why a SASL exchange
> failed, others don't. For example, IMAP will give you a pretty
> simple "NO" for any failure at all, whereas ACAP will tell you
> rather more, such as AUTH-TOO-WEAK, ENCRYPT-NEEDED, TRANSITION-
> NEEDED, etc, which can be used by the client to figure out what the
> next action should be.
Working examples? I'm modifying the PostgreSQL protocol as needed.
Adding SASL data to existing messages is easy. Adding an
AuthenticationContinue message isn't very hard either because they
have a protocol manual that's quite nice.
I'm concerned that the Cyrus API is so complex that the resulting
patches may be deemed too complex for acceptance. From a practical
standpoint what PostgreSQL stands to gain is 1) Kerberos support that
works on Windows and in Java, not just Unix/C, and 2) a bunch of
stuff that duplicates existing functionality. If it works well
enough 2) could be seen as an advantage in the long run since it
could allow the removal of their custom password database, custom
password verification algorithms, and PAM support. "Works well
enough" means "works, and takes no effort to link against on most
platforms".
> Also, you need to add TLS into the mix, too - which is in itself
> negotiated, of course, and will probably change the advertised
> mechanisms.
>
> As a for-example, a ACAP client might initially try DIGEST-MD5,
> cancel it partway through because no encryption was supported, use
> STARTTLS, try DIGEST-MD5, fail due to a TRANSITION-NEEDED code, and
> use PLAIN.
>
> An IMAP client in more or less tha same situation has longer to go,
> because it doesn't get the TRANSITION-NEEDED code, and therefore
> has no idea if it should retry DIGEST-MD5 a few times, or try a
> different mechanism.
>
> As if anyone needed *more* reasons to use ACAP. :-)
>
> Dave.
> --
> Dave Cridland - mailto:dave at cridland.net - xmpp:dwd at jabber.org
> - acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
> - http://dave.cridland.net/
> Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade
------------------------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
More information about the Cyrus-sasl
mailing list