Authentication over SSL
Russ Allbery
rra at stanford.edu
Tue Sep 9 01:30:45 UTC 2008
Julien ÉLIE <julien at trigofacile.com> writes:
> The problem is that require_ssl: is seen *before* an auth block is
> assigned so the behaviour of the current connection (that is to say
> whether AUTHINFO USER is available) cannot be changed by it. If a
> client is in such an auth block, then necessarily he is using SSL.
>
> auth "users" {
> hosts: "*"
> require_ssl: true
> }
>
> access "users" {
> users: "<all>"
> read: "*"
> }
>
> % telnet localhost 119
> 502 You have no permission to talk. Goodbye!
> Connection closed by foreign host.
>
> No auth was assigned! While I only wanted here not to be able to use
> AUTHINFO USER if SSL was not used.
Oh, sorry, I wasn't clear. I was assuming the modification to require_ssl
to support STARTTLS was done as well.
The idea that I had in mind was that when the user connected:
* Scan all auth blocks as we do now.
* If any auth block doesn't have require_ssl and has an auth parameter,
advertise AUTHINFO USER.
* Otherwise, if there are auth blocks with require_ssl, don't advertise
AUTHINFO but advertise STARTTLS.
* After STARTTLS, scan the auth blocks again and if there is an auth block
with an auth parameter, advertise AUTHINFO USER.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
Please send questions to the list rather than mailing me directly.
<http://www.eyrie.org/~eagle/faqs/questions.html> explains why.
More information about the inn-workers
mailing list