plain authentication fails if userid and authid differ
Dan White
dwhite at olp.net
Mon Dec 23 12:06:54 EST 2013
On 12/22/13 21:41 +0100, Christian Schwamborn wrote:
>I recently tried to upgrade the first of my mail systems from debian
>squeeze to wheezy and discovered that something within sasl was
>broken. I tracked down the problem to bug-id 3590 patched the sasl
>libs (2.1.25 in wheezy) and it seemed to work.
>But before I'm going to continue: Meanwhile I spent some time to
>rebuilt the current sasl release 2.1.26 an all it's dependencies but
>my problem remains.
>
>When doing a "plain" authentication in a setup using saslauthd
>without configured auxprop modules (as described in
>https://bugzilla.cyrusimap.org/show_bug.cgi?id=3590) everything if
>fine as long as userid and authid are the same:
>
>imtest -u test -a test -w Password -v -m plain 127.0.0.1
>works just fine.
>
>But if userid and authid differ, sasl will behave similar as before
>the the patch. All this worked fine with sasl 2.1.23 (which was in
>squeeze). Did something changed in the configuration or is there
>still a bug somewhere?
>
>The base64 encoded sting is:
>"test\0cyrus\0Password"
Does 'cyrus' exist as an admin or proxyservers in imapd.conf? Is 'test' an
admin? I recall there being some issue there. Security wise, you should be
using an identity from your proxyservers entry rather than an admin.
>telnet localhost 4190
>Trying ::1...
>Connected to localhost.
>Escape character is '^]'.
>"IMPLEMENTATION" "Cyrus timsieved v2.4.16-Debian-2.4.16-4+deb7u1"
>"SASL" "PLAIN LOGIN"
>"SIEVE" "comparator-i;ascii-numeric fileinto reject vacation
>imapflags notify envelope relational regex subaddress copy"
>"STARTTLS"
>"UNAUTHENTICATE"
>OK
>AUTHENTICATE "PLAIN" {28+}
>dGVzdABjeXJ1cwBQYXNzd29yZA=='
Is the trailing ' a typo?
>NO "Authentication Error"
>
>syslog:
>Dec 21 22:32:40 ourea cyrus/master[17707]: about to exec
>/usr/lib/cyrus/bin/timsieved
>Dec 21 22:32:40 ourea cyrus/sieve[17707]: executed
>Dec 21 22:32:40 ourea cyrus/sieve[17707]: accepted connection
>Dec 21 22:32:40 ourea cyrus/sieve[17707]: badlogin:
>localhost[127.0.0.1] PLAIN no mechanism available
That looks like a bug, since PLAIN was advertised in the banner. Perhaps
the trailing single quote is a problem.
Try using sivtest instead.
>doing the same with:
>"test\0test\0Password"
>-->
>AUTHENTICATE "PLAIN" {24+}
>dGVzdAB0ZXN0AFBhc3N3b3Jk
>will work
--
Dan White
More information about the Cyrus-sasl
mailing list