From neustradamus at hotmail.com  Fri Dec  6 00:01:59 2019
From: neustradamus at hotmail.com (- Neustradamus -)
Date: Fri, 6 Dec 2019 05:01:59 +0000
Subject: Cyrus SASL and SCRAM etc.
Message-ID: <VI1PR02MB4496F5FBD45612A6BA684F11CB5F0@VI1PR02MB4496.eurprd02.prod.outlook.com>

Hi all,

I have done a PR about some changes, and about missing SCRAM in files...
- https://github.com/cyrusimap/cyrus-sasl/pull/589
Can you validate it?

Good job from Alexey Melnikov and Ken Murchison about SCRAM changes some months ago.
Do not forget that CRAM-MD5 and DIGEST-MD5 are historical and unsecured.

Some people inform that there is a problem with Debian, there is no SCRAM-SHA-1 and SCRAM-SHA-1-PLUS which have been added a long time ago.
Same for SCRAM-SHA-256 and SCRAM-SHA-256-PLUS which have been added in last Cyrus SASL version 2.1.27.
For example: https://bugs.exim.org/show_bug.cgi?id=2349#c6

A new release for Cyrus SASL?
Last has been released more one year.
There are a lot of improvements.
There is a ticket here: https://github.com/cyrusimap/cyrus-sasl/issues/580.

In the same time, there are some tickets and other PR:

For SASL:
- https://github.com/cyrusimap/cyrus-sasl/
- https://github.com/cyrusimap/cyrus-sasl/issues
- https://github.com/cyrusimap/cyrus-sasl/pulls

For IMAPD:
- https://github.com/cyrusimap/cyrus-imapd
- https://github.com/cyrusimap/cyrus-imapd/issues
- https://github.com/cyrusimap/cyrus-imapd/pulls

About the doc:
- https://github.com/cyrusimap/cyrusimap.github.io/issues

------------
I recall:
It is possible to see for not up-to-date doc?
- https://www.cyrusimap.org/dev/sasl/authentication_mechanisms.html
- https://www.cyrusimap.org/2.5/sasl/authentication_mechanisms.html

Redirection?

Please note that there is a SSL certificate problem for https://cyrusimap.web.cmu.edu/

Solution?
- Redirection of http(s)://cyrusimap.web.cmu.edu/ to https://cyrusimap.org/ ?

And in the same time http(s)://www.cyrusimap.org/ to https://cyrusimap.org/ ?
------------

Thanks in advance.

Regards,

Neustradamus

From quanah at symas.com  Fri Dec  6 03:25:26 2019
From: quanah at symas.com (Quanah Gibson-Mount)
Date: Fri, 06 Dec 2019 00:25:26 -0800
Subject: Cyrus SASL and SCRAM etc.
In-Reply-To: <VI1PR02MB4496F5FBD45612A6BA684F11CB5F0@VI1PR02MB4496.eurprd02.prod.outlook.com>
References: <VI1PR02MB4496F5FBD45612A6BA684F11CB5F0@VI1PR02MB4496.eurprd02.prod.outlook.com>
Message-ID: <DE02E51500A1EB8FEDB03805@[192.168.1.144]>



--On Friday, December 6, 2019 5:01 AM +0000 - Neustradamus - 
<neustradamus at hotmail.com> wrote:

> Hi all,
>
> I have done a PR about some changes, and about missing SCRAM in files...
> - https://github.com/cyrusimap/cyrus-sasl/pull/589
> Can you validate it?

At one point, Howard Chu and I were supposed to be added to the project so 
we could start getting things reviewed and in, but nothing ever seemed to 
come of that, unfortunately.  I hope it can still happen.  There's a 
serious security flaw in Cyrus-SASL that was recently reported that needs 
fixing as well.

Regards,
Quanah


--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>

From aio.sasl at aio.nu  Mon Dec  9 04:26:21 2019
From: aio.sasl at aio.nu (AiO)
Date: Mon, 9 Dec 2019 10:26:21 +0100 (CET)
Subject: Pull-request with kerberos token delegation option
Message-ID: <alpine.DEB.2.20.1912091022550.20291@rom.aio.vpn>

Hi all,

Just wanted to spread the knowledge of a pull-request I've made with some 
nice server-side improvments on GSSAPI and Kerberos token options to use a 
credentials cache to store user's tokens. This enables CyrusSASL to not 
just be an authentication end-point, but also allows for single-sign-on to 
other services server-side.

Check it (#586) out - hope it's good-enough for the feature-set addressed.

Kind regards,
AiO

From simo at redhat.com  Tue Dec 10 20:51:53 2019
From: simo at redhat.com (Simo Sorce)
Date: Tue, 10 Dec 2019 20:51:53 -0500
Subject: Pull-request with kerberos token delegation option
In-Reply-To: <alpine.DEB.2.20.1912091022550.20291@rom.aio.vpn>
References: <alpine.DEB.2.20.1912091022550.20291@rom.aio.vpn>
Message-ID: <a44d9955e28e433aefbf7e2404460555715de612.camel@redhat.com>

On Mon, 2019-12-09 at 10:26 +0100, AiO wrote:
> Hi all,
> 
> Just wanted to spread the knowledge of a pull-request I've made with some 
> nice server-side improvments on GSSAPI and Kerberos token options to use a 
> credentials cache to store user's tokens. This enables CyrusSASL to not 
> just be an authentication end-point, but also allows for single-sign-on to 
> other services server-side.
> 
> Check it (#586) out - hope it's good-enough for the feature-set addressed.
> 
> Kind regards,
> AiO

I made a review.

-- 
Simo Sorce
RHEL Crypto Team
Red Hat, Inc





From aio.sasl at aio.nu  Wed Dec 11 01:33:13 2019
From: aio.sasl at aio.nu (Joakim Ekblad)
Date: Wed, 11 Dec 2019 07:33:13 +0100
Subject: Pull-request with kerberos token delegation option
In-Reply-To: <a44d9955e28e433aefbf7e2404460555715de612.camel@redhat.com>
References: <alpine.DEB.2.20.1912091022550.20291@rom.aio.vpn>
 <a44d9955e28e433aefbf7e2404460555715de612.camel@redhat.com>
Message-ID: <4779d0b62a28e9fed894f7e615d721c60fbd0e9a.camel@aio.nu>

On tis, 2019-12-10 at 20:51 -0500, Simo Sorce wrote:
> On Mon, 2019-12-09 at 10:26 +0100, AiO wrote:
> > Hi all,
> > 
> > Just wanted to spread the knowledge of a pull-request I've made 

<snip>

> > Check it (#586) out - hope it's good-enough for the feature-set
> > addressed.
> > addressed.
> > 
<snip>

> I made a review.

Thanks man! I saw it the other day, I'll try to find some time today to
fix your much appreciated comments. Awesome!

/AiO