Is a blank SASL password valid with PLAIN?
Dan White
dwhite at olp.net
Wed Jul 29 16:08:10 EDT 2015
On 07/29/15 14:51 -0400, Brian Bouterse wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA256
>
>I've been doing some development on Kombu [0] which uses SASL to
>authenticate against a Qpid message bus. In one specific case, when
>Kombu makes a Qpid client connection it calls
>establish(username='guest', password=''). establish() is part of the
>Qpid client library [1]. In Python '' is an empty string which is
>different than None the reserved keyword for empty (null).
>
>At some point as establish calls into qpid.messaging ->
>python-saslwrapper -> cyrus-sasl-lib/plain we are being prompted for a
>password even though we specify password=''. Is password='' an invalid
>value in the SASL PLAIN protocol, or is this just a bug in these
>libraries that should be fixed?
>
>We are running these sasl libraries:
>
>cyrus-sasl-2.1.26-17.el7.x86_64
>cyrus-sasl-md5-2.1.26-17.el7.x86_64
>saslwrapper-0.22-5.el7sat.x86_64
>cyrus-sasl-plain-2.1.26-17.el7.x86_64
>cyrus-sasl-lib-2.1.26-17.el7.x86_64
>python-saslwrapper-0.22-5.el7sat.x86_64
>
>I can provide more info if that is helpful. I know this is a silly
>thing to use SASL with an empty password but users are doing it and it
>halts the process while waiting for input from a daemon process.
>Thanks in advance.
Per RFC 4616 (SASL PLAIN), the password must be at least 1 non-null UTF-8
character. Presumably libsasl will continue to trigger a SASL_INTERACT
while there is no recognized password.
You're responsible for performing any necessary error checking within your
(Kombu's) code prior to that point. See:
http://www.cyrussasl.org/docs/cyrus-sasl/2.1.25/programming.php#callbacks_interactions
--
Dan White
More information about the Cyrus-sasl
mailing list