Multiple-Mechanism Sample Code?

Andreas Winkelmann ml at awinkelmann.de
Wed Jan 3 15:04:56 EST 2007


On Monday 18 December 2006 23:12, Alexey Melnikov wrote:

> > The published sample code seems to only try the first mechanism and
> > then quit.  I'm told the "correct" way to do SASL is to try all the
> > mechanisms (or at least all the ones supported) and don't quit until
> > you've tried them all.  Is there any example code that illustrates this?
>
> (I wanted to point you to Cyrus imtest, but it doesn't do that).
>
> In general, I think a well written SASL client should behave as follows:
>
> It should sort SASL mechanisms that both client and server support by
> their "strength" or features recognized by the client. For SASL
> mechanisms with equal strength the order used by the server can be used.

This is ok and already implemented.

> The client starts iterating through the ordered list, starting from the
> strongest mechanism. It tries the mechanism. If authentication succeeds
> - success. If not, the client may retry the mechanism (e.g. if the
> server returned an indication that the password is incorrect) several
> times, say 3 times. After that the client should move on to the next
> strongest SASL mechanism and so on.

No, I would say this is a Security Risk and of course useless.

If the Server offers DIGEST-MD5 and PLAIN. And the User/Client trys wrong 
Credentials, the Second try will pass in Cleartext the Internet. I would not 
like to see that if I just make a Typo in the Password, you?

Oh and useless, because why should there be a difference between one of the 
Offered Mechanisms? If DIGEST-MD5 with one set of Credentials fails, why 
should it succeed with PLAIN? This is only the case with misconfigured 
Servers (Offering *-MD5 Mechanisms with saslauthd for example). 

> There are of course some complications. Some SASL mechanisms that can
> potentially be stronger can end up being weaker, because of the options
> that the server supports.

-- 
	Andreas


More information about the Cyrus-sasl mailing list