sasl_pwcheck_method

Dan White dwhite at olp.net
Mon Jun 8 18:32:12 EDT 2009 

lists at oliver-block.eu wrote:
>
> Hello everybody,
>
> I configured cyrus imapd on a Opensuse 11 machine following the 
> recommedation in a README file. Now I discovered the following - for 
> me odd behavior - which might depend on a "misconfiguration".
>
> /etc/imap.conf:
> sasl_pwcheck_method: saslauthd
>
> /etc/sysconfig/saslauthd:
> SASLAUTHD_AUTHMECH=pam
>
> If a user logs into cyrus (I used mtest from uw-imap because of it's 
> debug messages) it takes 4 trials (3 with CRAM-MD5 and a final with 
> plain password) before the login succeeds.
>
> By chance I've found a tutorial which recommends adding a user to 
> sasldb2. I tried that and without any additional changes to the 
> configuration the first login attempt succeeds.
>
> I wonder if someone could tell me
> 1. Why did it take 4 attempts using the system credentials
> 2. Why did it succeed with one attempts after a user with the same 
> username and different password was added to sasldb2
> 3. Why did the sasldb2 approach succedd at all without any 
> configuration changes.
>


When authenticating via CRAM-MD5, the pwcheck_method will be ignored. 
Your chosen pwcheck_method should only be referenced when authenticating 
via a 'plaintext' authentication mechanism - LOGIN or PLAIN. The fact 
that mtest attempted to authenticate via CRAM-MD5 probably means that 
you are advertising CRAM-MD5 support within imapd.conf.

When authenticating via a mechanism which utilizes a shared secret, such 
as CRAM-MD5, your auxprop configuration will be used 
(sasl_auxprop_plugin). The default auxprop plugin is sasldb. If you are 
advertising CRAM-MD5 support in /etc/imapd.conf, but do not have the 
user configured in an auxprop store, then CRAM-MD5 should always fail.

 > 1. Why did it take 4 attempts using the system credentials

mtest is probably falling back to PLAIN after 3 unsuccessful CRAM-MD5 
login attempts.

 > 2. Why did it succeed with one attempts after a user with the same 
username and different password was added to sasldb2
 > 3. Why did the sasldb2 approach succedd at all without any 
configuration changes.

Because adding the user to your (default) auxprop store allowed CRAM-MD5 
to succeed.

If you are planning to support CRAM-MD5, you'll want to use:

sasl_pwcheck_method: auxprop

which will provide some consistency between PLAIN logins and CRAM-MD5 
logins. It will not allow you to use PAM and you'll need to configure 
your users in /etc/sasldb2.

If you don't care about supporting CRAM-MD5, then remove it from your 
'sasl_mech_list', and you can stick with saslauthd and PAM.

- Dan

More information about the Info-cyrus mailing list