Multiple-Mechanism Sample Code?
Dave Cridland
dave at cridland.net
Wed Jan 3 18:03:25 EST 2007
On Wed Jan 3 21:18:35 2007, Andreas Winkelmann wrote:
> On Wednesday 03 January 2007 21:23, Dave Cridland wrote:
>
> > > If the Server offers DIGEST-MD5 and PLAIN. And the User/Client
> trys
> > > wrong Credentials, the Second try will pass in Cleartext the
> > > Internet. I would not like to see that if I just make a Typo in
> the
> > > Password, you?
> >
> > Well, the client really ought to be warning about this, and
> checking
> > with the user. Of course, this might need a new API/callback for
> > Cyrus SASL, I can't recall. (All my Cyrus SASL usage is on the
> > server, my client usage uses its own library, which does do
> warnings).
>
> Hmm, ok, you have a Server, which does only allow
> Plaintext-Passwords with SSL/TLS and Shared-Secret Mechanisms
> without SSL/TLS. The Client connects without TLS and trys
> DIGEST-MD5, it fails. What shall happen? Cyrus-SASL cannot switch
> to PLAIN without a heavy Interaction with the Server-Application.
> At least it has to establish a SSL/TLS-Layer to enable
> Plaintext-Passwords in the Authentification-Phase. I don't think
> this hypothetical Situation is a rare exception.
>
>
No, and it's not very hard, either. The client application then
receives the transition request, and assuming the user accepts,
negotiates TLS, and reauthenticates with PLAIN.
> > > Oh and useless, because why should there be a difference between
> > > one of the Offered Mechanisms? If DIGEST-MD5 with one set of
> > > Credentials fails, why should it succeed with PLAIN? This is
> only
> > > the case with misconfigured Servers (Offering *-MD5 Mechanisms
> with
> > > saslauthd for example).
> >
> > Ah... No, there's the transition case. For ACAP, for example, the
> > attempt to authenticate with DIGEST-MD5 might yield a
> > TRANSITION-NEEDED, but (all?) other protocols won't communicate
> that
> > back to the client, so it's reasonable to try PLAIN.
> >
> > PLAIN might work because SASL can pass the credentials onto the
> > operating system's authentication method, whereas DIGEST-MD5 needs
> > either a copy of the plaintext, or the intemediate hash, in which
> > case that's per-user, not per-site. The simplest way of getting
> the
> > data needed is to get the user to authenticate once using PLAIN,
> > after which DIGEST-MD5 works.
>
> I don't know ACAP so good to see this relation, but this sounds
> like the Cyrus-SASL auto_transition Feature. To "convert" a Crypted
> Password Storage (shadow/passwd/...) to an UnEncrypted (auxprop)
> you enable auto_transition and waits until all Accounts/Passwords
> are created in auxprop. In this Phase you run with
> Plaintext-Passwords only (mech_list: plain login) though it would
> be possible to use *-MD5 Mechanisms for the already created
> Accounts.
>
>
Exactly - Cyrus SASL tells the server, and the server can tell the
client via the application level protocol. ACAP happens to be an
example of a protocol which allows this, whereas IMAP does not.
> BTW, a failed Authentification with right Credentials has always a
> bad taste. Looks like a Trojan Horse at the first sight.
No, it's not a matter of the right or wrong credentials, it's a
matter of the credentials not being validatable.
Dave.
--
Dave Cridland - mailto:dave at cridland.net - xmpp:dwd at jabber.org
- acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
- http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade
More information about the Cyrus-sasl
mailing list