How to authenticate through a X509/pkcs12 client certificate (SSLv3/ [RFC 5246 ?] authentication only)?

Thomas Harding tom at thomas-harding.name
Sat Sep 4 05:48:56 EDT 2010


[my mother tongue is French, and I'm not very fluent in English...]

Le 02/09/2010 21:44, Dan White a écrit :
> On 02/09/10 21:11 +0200, Thomas Harding wrote:
>> However, I use my own created CA chain (with intermediate one)
>> to authenticate users in Postfix, not to account, which would
>> need the same process, and both postfix and cyrus ask for a
>> certificate issued from this secondary authority.
>> So, my postfix smtp_sender_restrictions rules allows mails from
>> certificates issued by my authority (permit_tls_all_clientcerts),
>> these users are logged as "trusted", while certificates from other
>> authorities are logged as anonymous.
>>
>> At same time, I have Sep 2 17:27:23 smtp2 cyrus/imaps[27137]: login: 
>> [192.168.0.254] tom plain+TLS User logged in
>>
>> And I run imaps (tcp 993) only.
>>
>> So, how to use "TLS" authentication without plain/other authentication
>> mechanisms ?
>>
>> * I wonder is something is planned on cyrus SASL to allow accounting
>> through X509 subject DN, with selected CA authorities
>
> The cyrus sasl library facilitates the use of authentication of a TLS
> session via the EXTERNAL mechanism. However, such support must be
> implemented by the server in question (such as Postfix).
>
> Servers typically implement support by providing a STARTTLS command, and
> using some information contained in the certificate to derive a username.
> How the server derives the username is up to the server.
>
> For instance, the imapd server does this in its starttls implementation:
>

Tried from imap/143/startls and imaps/993 without success

 From another response quoted below, EXTERNAL auth is done through OpenLDAP
(ldapdb), which with further Ternet readings offers "EXTERNAL".

I didn't found literature on Ternet on that subject.

> Which presumably means that whatever is in the common name of the
> certificate will become the authenticated identity.

For sure, but I remain an alternative "key" field in certificates for 
identification,
maybe found in a RFC,
As for as an LDAP entry can have both "uid" an "cn" for "dn"
"last significant name"

dn: uid=foo, ou=bar, dc=foobar, dc=com
ObjectClass: (can't remain)
ObjectClass: (can't remain)
....
uid: foo
cn: Thomas Harding
....

dn: cn=Thomas Harding, ou=bar, dc=foobar, dc=com
ObjectClass: (can't remain)
ObjectClass: (can't remain)
uid: foo
cn: Thomas Harding
> I believe sendmail, cyrus imap, and openldap support such 
> authentication. I
> don't believe postfix does. I cannot find any mention of 
> SASL_AUTH_EXTERNAL
> in its source.
>

 > [from Dan white]> You may use OpenLDAP as identity provider, ldapdb 
as auxiliary
 > [from Dan white]> property plugin and SASL Mechanism EXTERNAL.

I think this is the current right way,

While my goal is to avoid any user password/certs database, even ldap, 
but relay
on a certificate attribute from delivered by one or more trusted CAs, then
authenticate on certificate itself without any database look :
I know it's stupid because I will have no revocation list possible 
currently.

Even if it would be great to have sasl rely only _fully_ on certificates,
with CRLs handling.



So, I will turn to ldap (there are good slides I googlized on that)
Both for cyrus and postfix (which is very flexible), with addition
of "individual" root + intermediates CA, and sasl login for postfix
(which for the last already authorize my signed certificates only
to send mails out from my domain without having to log in but
allows my authority issued certs only and logs cert identity in
"Received:" header...
which is enough to proof sender identity, and allow any "From:"
address... as usual with SMTP)


The way I wish is in fact this one, according thread ending by
http://www.mail-archive.com/info-cyrus@lists.andrew.cmu.edu/msg18981.html

It /should work/ but the guy didn't success

However, postfix can also uses directly LDAP and tables for certs MD5 
hashes,
but I didn't notice REJECT/DUNNO/OK actions as for other tables.


Concerning cyrus doc I have :
<cite>
You can use the self-signed certificate generated above as a CA for 
client certificates. To do this, try the
following:


TODO: write me!

</cite>
Which could be completed by:

TinyCA GUI will help, notably in exporting CA chains,
CRLS and bundled certificates such as PKCS12 and PEM
Take care of RSA/DSA in case of server purpose (one not needs passphrase...)

The use of the TinyCA GUI would help dummies and ensure a good 
wallets/revocation lists management :
on Debian GNU/Linux, install "tinyca"; in a terminal, command is 'tinyca2'

create a first CA (the root one), the first "pages" icon from the left

then create a certificate request/key/cert for intermediate CA by click 
the second "pages"
icon just after the two "search" icons

fill in "create intermediate CA form", the first item is the top-level 
root CA passphrase

In top level menu CA => open CA => choose the intermediate CA nickname

in "cert requests tab", right click => new request
fill in the form

once done, right click on the request item then sign with intermediate 
CA passphrase :
You will have choice between server and client

in "certs" tab, export the request. Choose tar or zip for a server, 
pkcs12 for a
client, (PEM without key for LDAP [I’m not sure currently, as never done).
Tip: my smart phone not accept any signature algorithm : MD5+RSA is OK, 
not SHA1 nor other tested...

Tip: acutes must be re-written each time a request if you have ones (my 
city is Orléans)
Tip: take care on symlink ~/.TinyCA on a mounted device such as an usb key
Tip: typing on keyboard like a mad cat would accelerate encryption process

<cite>
Unfortunately, there's no standard on how to convert the client's 
authenticate DN (distinguished name) to a SASL authentication name.
</cite>

I hope a "standard on how to convert the client's authenticate DN",
based on cn or uid, ObjectClass +,
organizational unit and domain components (which could be named "suffix")

...which could be done in a /var/lib/sasl/smtp.conf like file or a 
postfix ldap like table,
but would largely benefits on an xml syntax (to allow virtual domains 
and several
ldap servers.

I'm not a developer, my programming and administration skills are 
self-learned ones,

I have no capability in C/C++ except little hacks,
I seriously learned only Python (good), (not so) Posix shells, PHP 
(heerk), SQL
and a little bit PL/PGSQL (which for "quoting" is a nightmare)

But I'm experienced in dozens of configuration file types and 
DTD/xml/xslt authoring.

So, if anyone interested in the xml configuration file I hope definition 
and processing,
which could handle LDAP+certificates or "certificates only with CRLs",
I could help, even in documentation (for the last, I helped 
documentation automated
generation in "Dia" project a few years ago, and I could adapt that to 
Cyrus project.
Beware: it is a long last process to build and "pack" correctly any 
documentation
with a good matter of "integration to the program build and compilation") ;)

HTH,
TH.


More information about the Cyrus-sasl mailing list