Multiple-Mechanism Sample Code?

Dave Cridland dave at cridland.net
Wed Jan 3 15:23:41 EST 2007


On Wed Jan  3 20:04:56 2007, Andreas Winkelmann wrote:
> On Monday 18 December 2006 23:12, Alexey Melnikov wrote:
> > The client starts iterating through the ordered list, starting 
> from the
> > strongest mechanism. It tries the mechanism. If authentication 
> succeeds
> > - success. If not, the client may retry the mechanism (e.g. if the
> > server returned an indication that the password is incorrect) 
> several
> > times, say 3 times. After that the client should move on to the 
> next
> > strongest SASL mechanism and so on.
> 
> No, I would say this is a Security Risk and of course useless.
> 
> 
Almost...


> If the Server offers DIGEST-MD5 and PLAIN. And the User/Client trys 
> wrong Credentials, the Second try will pass in Cleartext the 
> Internet. I would not like to see that if I just make a Typo in the 
> Password, you?
> 
> 
Well, the client really ought to be warning about this, and checking 
with the user. Of course, this might need a new API/callback for 
Cyrus SASL, I can't recall. (All my Cyrus SASL usage is on the 
server, my client usage uses its own library, which does do warnings).


> Oh and useless, because why should there be a difference between 
> one of the Offered Mechanisms? If DIGEST-MD5 with one set of 
> Credentials fails, why should it succeed with PLAIN? This is only 
> the case with misconfigured Servers (Offering *-MD5 Mechanisms with 
> saslauthd for example). 
> 
Ah... No, there's the transition case. For ACAP, for example, the 
attempt to authenticate with DIGEST-MD5 might yield a 
TRANSITION-NEEDED, but (all?) other protocols won't communicate that 
back to the client, so it's reasonable to try PLAIN.

PLAIN might work because SASL can pass the credentials onto the 
operating system's authentication method, whereas DIGEST-MD5 needs 
either a copy of the plaintext, or the intemediate hash, in which 
case that's per-user, not per-site. The simplest way of getting the 
data needed is to get the user to authenticate once using PLAIN, 
after which DIGEST-MD5 works.

Dave.
-- 
Dave Cridland - mailto:dave at cridland.net - xmpp:dwd at jabber.org
  - acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
  - http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade


More information about the Cyrus-sasl mailing list