From Sean.Haugh at vertivco.com Wed Nov 1 13:58:19 2017 From: Sean.Haugh at vertivco.com (Sean.Haugh at vertivco.com) Date: Wed, 1 Nov 2017 17:58:19 +0000 Subject: [ExternalEmail] Alternative to default_realm in krb5.conf question In-Reply-To: <008b01d35320$5eb81ea0$1c285be0$@symas.com> References: <008b01d35320$5eb81ea0$1c285be0$@symas.com> Message-ID: <20171101175819.lvl6xbgrdyqophwv@scuba.localdomain> On Wed, Nov 01, 2017 at 02:47:41PM +0000, Jason Trupp wrote: > Did anyone from the SASL mail list ever respond to you about this inquiry? I > too was interested in knowing what their suggestions were but never saw any > more activity on the thread. Hi Jason, no, I never heard anything back. We ended up using a different workaround. I did look into the OpenLDAP source, it should be possible to set with LDAP_OPT_X_SASL_REALM--but only get is implemented right now afaik. I agree though, it would be nice to get a clear "yes/no/your application code is wrong". From murch at fastmail.com Mon Nov 27 08:03:16 2017 From: murch at fastmail.com (Ken Murchison) Date: Mon, 27 Nov 2017 08:03:16 -0500 Subject: SASL 2.1.27 rc5 In-Reply-To: <1567e417-c282-90c1-4504-077120bf961b@fastmail.com> References: <1567e417-c282-90c1-4504-077120bf961b@fastmail.com> Message-ID: <3791321d-a49d-cc7c-0768-51279a81a469@fastmail.com> Alexy and I had a Google hangout conversation last week and we are committed to resolving the GSSAPI issue(s) and any other non-invasive issues/pull-requests within the next month. Probably one more (short-lived) release candidate with the final 2.1.27 released by Christmas. Please update any existing issues that you feel are critical to the 2.1.27 release. On 10/10/2017 07:59 AM, Ken Murchison wrote: > > All, > > I have built a fourth release candidate of SASL 2.1.27 which can be > downloaded from here: > > HTTP: > http://www.cyrusimap.org/releases/cyrus-sasl-2.1.27-rc5.tar.gz [MD5: > 0e4ab034e93933ae7e4891b6ff58694f] > http://www.cyrusimap.org/releases/cyrus-sasl-2.1.27-rc5.tar.gz.sig > [MD5: 5ebb22737aa11810f6c9e5d12b167f16] > > FTP: > ftp://ftp.cyrusimap.org/cyrus-sasl/cyrus-sasl-2.1.27-rc5.tar.gz > [MD5: 0e4ab034e93933ae7e4891b6ff58694f] > ftp://ftp.cyrusimap.org/cyrus-sasl/cyrus-sasl-2.1.27-rc5.tar.gz.sig > [MD5: 5ebb22737aa11810f6c9e5d12b167f16] > Note that the distro has been signed by my colleague Partha Susarla at > FastMail. > > > The only major change since RC4 has to do with detection of PAM > support.? Those using PAM with saslauthd are encouraged to make sure > that this release compiles and runs as expected. > > > The (mostly) complete list of changes from 2.1.26 are these: > > * Added support for OpenSSL 1.1 > * Added support for lmdb (from Howard Chu) > * Lots of build fixes (from Ignacio Casal Quinteiro and others) > * Treat SCRAM and DIGEST-MD5 as more secure than PLAIN when > selecting client mech > * DIGEST-MD5 plugin: > o Fixed memory leaks > o Fixed a segfault when looking for non-existent reauth cache > o Prevent client from going from step 3 back to step 2 > o Allow cmusaslsecretDIGEST-MD5 property to be disabled > * GSSAPI plugin: > o Added support for retrieving negotiated SSF > o Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for SSF > o Properly compute maxbufsize AFTER security layers have been set > * SCRAM plugin: > o Added support for SCRAM-SHA-256 > * LOGIN plugin: > o Don?t prompt client for password until requested by server > * NTLM plugin: > o Fixed crash due to uninitialized HMAC context > * saslauthd: > o cache.c: > + Don?t use cached credentials if timeout has expired > + Fixed debug logging output > o ipc_doors.c: > + Fixed potential DoS attack (from Oracle) > o ipc_unix.c: > + Prevent premature closing of socket > o auth_rimap.c: > + Added support LOGOUT command > + Added support for unsolicited CAPABILITY responses in > LOGIN reply > + Properly detect end of responses (don?t needlessly wait) > + Properly handle backslash in passwords > o auth_httpform: > + Fix off-by-one error in string termination > + Added support for 204 success response > o auth_krb5.c: > + Added krb5_conv_krb4_instance option > + Added more verbose error logging > > > > At this point any major changes (e.g. API, wire protocol) will be > pushed out to 2.1.28 or 2.2.0.? I believe that this is close to being > a final release which I would like to get out by the end of September. > > The biggest outstanding issues are those around recent GSSAPI > changes.? I'm inclined to defer to Alexey's judgement on these unless > someone can convince us that the SASL code is wrong per the specs.? > The fact that it broke a particular piece of code doesn't necessarily > mean that the application code is correct and the SASL change was wrong. > > If there are any other last minute show stoppers, please open an issue > on GitHub (preferably with a patch), or better yet create a pull request. > -- > Kenneth Murchison > Cyrus Development Team > FastMail Pty Ltd -- Kenneth Murchison Cyrus Development Team FastMail Pty Ltd -------------- next part -------------- An HTML attachment was scrubbed... URL: