To the one who posted Cyrus SASL diagram...

Rob Siemborski rjs3 at andrew.cmu.edu
Thu Oct 30 08:00:06 EST 2003


On Thu, 30 Oct 2003, Nikola Milutinovic wrote:

> SASL provides an interface for applications - servers and clients - to perform
> authentication, using more or less secure mechanisms. Among some popular servers
> that you neglected to mention is Sendmail (a veteran in that field).

You may want to read doc/components.html (available atleast in 2.1.16).

> Authentication mechanisms can be one of these:
>
> - PLAIN
> - CRAM-MD5
> - DIGETS-MD5
> - KERBEROS_IV
> - GSSAPI
> - EXTERNAL
>
> PLAIN
> -----
>
> Plain uses Base64 encoding for UserID/secret pair, which means it is unsecure
> and has SSF (Security Strength Factor) of 0. Now, what is the UserID/Pass pair
> compared against?

It doesn't uses base64 encoding plain is <authid>\0<authzid>\0<password>.
The base64 encoding is a side-effect of the application-level sasl
encoding.

> There are several "internal" SASL mechanisms which can check user/pass pair:
>
> - AUXPROP SASL-DB (user/pass is stored in /etc/sasldb2)
> - AUXPROP SQL (user/pass is stored in MySQL, PostgreSQL or Oracle)
> - SASLAUTHD (external process "sasl authentication daemon" is used)
>
> SASLAuthD can check user/pass against a number of sources, like PAM, LDAP, NIS,
> Kerberos4/5, SASL-DB,...

The auxprop mechanisms don't "check" a password, they supply one for the
mechanism to do verification with.

> These mechanisms use MD5 check-sums to enhance the privacy of authentication.
> CRAM-MD5 is obsolete and you should use DIGEST-MD5. These mechanisms both rely
> on a "shared secret" being stored on the server, because that is used as a key
> for MD5 (or is it salt? - I'm not an expert on this). The storage is ALWAYS
> /etc/sasldb2 (is there a plan for SQL plugin?).

There is currently a plugin for SQL.  Also there are third-party ldap
plugins available.

> EXTERNAL
> --------
>
> This is actually SSL/TLS - public key cryptography. It can act as a "wrapper"
> for any other SASL mechanism. For instance, I use TLS+plaintext on my Cyrus IMAP
> and MS Outlook Express, Mozilla Mail, Opera Mail and Netscape Messenger.

EXTERNAL isn't "actually SSL/TLS", it is a way for an authorization ID to
be supplied when the connection is authenticated using a non-SASL
mechanism (for example, connectkion to a unix socket).

SSL/TLS is simply one of those methods that can provide outside
authentication.

-Rob

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456
Research Systems Programmer * /usr/contributed Gatekeeper





More information about the Info-cyrus mailing list