To the one who posted Cyrus SASL diagram...

Nikola Milutinovic Nikola.Milutinovic at ev.co.yu
Thu Oct 30 05:26:27 EST 2003


Sorry, I deleted the mail, so I don't have your e-mail now and this might be 
educational to the list.

This is what I've learned about SASL so far.

SASL provides an interface for applications - servers and clients - to perform 
authentication, using more or less secure mechanisms. Among some popular servers 
that you neglected to mention is Sendmail (a veteran in that field).

Authentication mechanisms can be one of these:

- PLAIN
- CRAM-MD5
- DIGETS-MD5
- KERBEROS_IV
- GSSAPI
- EXTERNAL

PLAIN
-----

Plain uses Base64 encoding for UserID/secret pair, which means it is unsecure 
and has SSF (Security Strength Factor) of 0. Now, what is the UserID/Pass pair 
compared against?

There are several "internal" SASL mechanisms which can check user/pass pair:

- AUXPROP SASL-DB (user/pass is stored in /etc/sasldb2)
- AUXPROP SQL (user/pass is stored in MySQL, PostgreSQL or Oracle)
- SASLAUTHD (external process "sasl authentication daemon" is used)

SASLAuthD can check user/pass against a number of sources, like PAM, LDAP, NIS, 
Kerberos4/5, SASL-DB,...

It is worth noting that, although using some strong mechanism with saslauthd 
seams OK, you're actually degrading it, since PLAIN will expose user/pass in 
(practically) plaintext.

CRAM-MD5
DIGEST-MD5
----------

These mechanisms use MD5 check-sums to enhance the privacy of authentication. 
CRAM-MD5 is obsolete and you should use DIGEST-MD5. These mechanisms both rely 
on a "shared secret" being stored on the server, because that is used as a key 
for MD5 (or is it salt? - I'm not an expert on this). The storage is ALWAYS 
/etc/sasldb2 (is there a plan for SQL plugin?).

KERBEROS_IV
GSSAPI
-----------

GSS-API is actually Kerberos5. Both of these rely on Kerberos infrastructure 
being set already. So, if you have KDC (MIT or Heimdal), a server which is 
registered with them as a principal and a client which has obtained Kerberos 
TGT, you're all set to authenticate. SSF of these is (I think) 56.

Just to clarify, some years ago, this was an exotic setup. Nowdays, it might 
become more and more common, with Microsoft moving it's primary authentication 
on Active Directory Service from NTLM to GSSAPI. There were reports on this list 
of admins who have successfully integrated Cyrus IMAP into ADS infrastructure, 
with MS Outlook (Express?) as E-Mail client.

EXTERNAL
--------

This is actually SSL/TLS - public key cryptography. It can act as a "wrapper" 
for any other SASL mechanism. For instance, I use TLS+plaintext on my Cyrus IMAP 
and MS Outlook Express, Mozilla Mail, Opera Mail and Netscape Messenger.

Hope this helps. Many of us are complaining on the lack of documentation, you're 
one of few who have decided to contribute.

Nix.





More information about the Info-cyrus mailing list