Authentication over SSL

Julien ÉLIE julien at trigofacile.com
Sun Sep 21 10:06:11 UTC 2008


Hi Russ,

> In this case, I think we have to always advertise SASL if built with SASL
> support.

All right.


>> 483 would be if there was a possibility to authenticate after STARTTLS.
>
> Oh, hm, yes.  If that's available, we should return 483 instead.  I forgot
> about that.

I have just implemented that for AUTHINFO USER/PASS and AUTHINFO SASL.
However, I cannot change the behaviour of the legacy AUTHINFO GENERIC because
it does not use auth blocks; therefore, there is no possibility to know whether
SSL may be required for AUTHINFO GENERIC.

I do not think it is a problem, though, for that deprecated use of AUTHINFO.


>> Hmm...  What for:
>>
>> auth "nothing" {
>>   hosts: "*"
>> }
>>
>> access "nothing" {
>>   users: "<all>"
>>    read: "!*"
>> }
>>
>> auth "users" {
>>   hosts: "*"
>>   require_ssl: true
>> }
>>
>> access "users" {
>>   users: "<all>"
>>   read: "*"
>> }
>>
>> GROUP -> 502
>> AUTHINFO -> 502
>> ...
>>
>> No authentication possible but if 483 is sent, the client maybe will
>> negociate an encrypted connection and then have access to everything!
>
> Right, we should return 483 here, if we can detect this case, to the GROUP
> command and probably to AUTHINFO as well.  Good catch.  It might be hard
> to detect that we're in this case, though.

The main problem is that we then need to force a re-authentication after
a successful TLS negotiation (because we need to change the current
auth block).  I do not know if it is wise to do that.

-- 
Julien ÉLIE

« Dieu expire sa parole, et en l'inspirant l'homme se forme. » 



More information about the inn-workers mailing list