Authentication over SSL

Julien ÉLIE julien at trigofacile.com
Tue Sep 9 17:50:56 UTC 2008


Hi Russ,

>> Is it the same for AUTHINFO SASL?  If there is no auth parameters, it
>> should not be advertised.
>
> I forget how the SASL support works.  Is there anything in the
> readers.conf file saying "support SASL" or is it entirely internal?

Nothing in readers.conf AFAIK.


>> In such cases, when there is no auth parameter, should AUTHINFO
>> USER/PASS/SASL commands return 502?  Or do we let the user try to
>> authenticate (and it will fail at the end)?
>
> You definitely want AUTHINFO USER to fail if you don't want the user to
> authenticate, since that prevents sending the password over an unencrypted
> connection.  502 is the correct error code.

All right, because 483 would be if there was a possibility to authenticate
after STARTTLS.
Hmm...  What for:

auth "nothing" {
   hosts: "*"
}

access "nothing" {
   users: "<all>"
    read: "!*"
}

auth "users" {
   hosts: "*"
   require_ssl: true
}

access "users" {
   users: "<all>"
   read: "*"
}


GROUP -> 502
AUTHINFO -> 502
...

No authentication possible but if 483 is sent, the client maybe
will negociate an encrypted connection and then have access to
everything!

So 502 does not give much information in response to GROUP and AUTHINFO...

-- 
Julien ÉLIE

« Quand on aime on ne compte pas...
  Ça tombe bien, je suis mauvaise en calcul ! » 



More information about the inn-workers mailing list