SASL testing

[Russ Allbery]

Julien ÉLIE <julien at trigofacile.com> writes:

> As far as I understand in the code source, only a username can be passed
> to AUTHINFO SASL and is then checked towards users: in access groups.
> No password?  So, hmm... I do not understand the use of it for privacy;
> is it only to encrypt the connection?  Or maybe the username is a
> password?  (Still weird...)

Both the username and the password (or some equivalent thereof) are sent
as part of the SASL protocol itself, so they aren't part of the NNTP
command.  The last argument to AUTHINFO SASL is not a username; it's the
initial response, which may be required for some SASL protocols (and if so
is usually some base64-encoded data).

The best way to test SASL is to use one of the command-line telnet-like
utilities that you can tell to start a SASL authentication on a
connection.  I think Cyrus SASL comes with one of those, although it's
been a long time since I've looked at them.  I don't remember what their
limitations are.

> This one is specially fast but I do not know on what it authenticates...
>
> AUTHINFO SASL ANONYMOUS test
> 281 Authentication succeeded

SASL ANONYMOUS authenticates as the anonymous user.  It should be treated
the same by INN as if the user hadn't authenticated at all, if we even
support it.  We may want to filter it out of the list of supported
authentication mechanisms.  See RFC 4505.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>

    Please send questions to the list rather than mailing me directly.
     <http://www.eyrie.org/~eagle/faqs/questions.html> explains why.