plain authentication fails if userid and authid differ

Dan White dwhite at olp.net
Mon Dec 23 12:06:54 EST 2013 

On 12/22/13 21:41 +0100, Christian Schwamborn wrote:
>I recently tried to upgrade the first of my mail systems from debian 
>squeeze to wheezy and discovered that something within sasl was 
>broken. I tracked down the problem to bug-id 3590 patched the sasl 
>libs (2.1.25 in wheezy) and it seemed to work.
>But before I'm going to continue: Meanwhile I spent some time to 
>rebuilt the current sasl release 2.1.26 an all it's dependencies but 
>my problem remains.
>
>When doing a "plain" authentication in a setup using saslauthd 
>without configured auxprop modules (as described in 
>https://bugzilla.cyrusimap.org/show_bug.cgi?id=3590) everything if 
>fine as long as userid and authid are the same:
>
>imtest -u test -a test -w Password -v -m plain 127.0.0.1
>works just fine.
>
>But if userid and authid differ, sasl will behave similar as before 
>the the patch. All this worked fine with sasl 2.1.23 (which was in 
>squeeze). Did something changed in the configuration or is there 
>still a bug somewhere?
>
>The base64 encoded sting is:
>"test\0cyrus\0Password"

Does 'cyrus' exist as an admin or proxyservers in imapd.conf? Is 'test' an
admin? I recall there being some issue there. Security wise, you should be
using an identity from your proxyservers entry rather than an admin.

>telnet localhost 4190
>Trying ::1...
>Connected to localhost.
>Escape character is '^]'.
>"IMPLEMENTATION" "Cyrus timsieved v2.4.16-Debian-2.4.16-4+deb7u1"
>"SASL" "PLAIN LOGIN"
>"SIEVE" "comparator-i;ascii-numeric fileinto reject vacation 
>imapflags notify envelope relational regex subaddress copy"
>"STARTTLS"
>"UNAUTHENTICATE"
>OK
>AUTHENTICATE "PLAIN" {28+}
>dGVzdABjeXJ1cwBQYXNzd29yZA=='

Is the trailing ' a typo?

>NO "Authentication Error"
>
>syslog:
>Dec 21 22:32:40 ourea cyrus/master[17707]: about to exec 
>/usr/lib/cyrus/bin/timsieved
>Dec 21 22:32:40 ourea cyrus/sieve[17707]: executed
>Dec 21 22:32:40 ourea cyrus/sieve[17707]: accepted connection
>Dec 21 22:32:40 ourea cyrus/sieve[17707]: badlogin: 
>localhost[127.0.0.1] PLAIN no mechanism available

That looks like a bug, since PLAIN was advertised in the banner. Perhaps
the trailing single quote is a problem.

Try using sivtest instead.

>doing the same with:
>"test\0test\0Password"
>-->
>AUTHENTICATE "PLAIN" {24+}
>dGVzdAB0ZXN0AFBhc3N3b3Jk
>will work

-- 
Dan White

More information about the Cyrus-sasl mailing list