SASL testing

Julien ÉLIE julien at trigofacile.com
Sun Sep 21 22:15:14 UTC 2008


Hi Russ,

>> As far as I understand in the code source, only a username can be passed
>> to AUTHINFO SASL and is then checked towards users: in access groups.
>
> Both the username and the password (or some equivalent thereof) are sent
> as part of the SASL protocol itself, so they aren't part of the NNTP
> command.  The last argument to AUTHINFO SASL is not a username; it's the
> initial response, which may be required for some SASL protocols (and if so
> is usually some base64-encoded data).

Sure.  My concern was not in fact for the initial response but for
the credentials provided during the SASL negotiation.

Because on success, we only have that:

        /* Success. */
        strlcpy(PERMuser, canon_user, sizeof(PERMuser));
        PERMgetpermissions();
        PERMneedauth = false;
        PERMauthorized = true;
        PERMcanauthenticate = false;

There is only PERMuser and the PERMgetpermissions() function only searches
for the right access group.  I cannot find a moment where there is a change
of auth groups...  That is why I do not see well how to use any password
provided durint the SASL negotiation.


> The best way to test SASL is to use one of the command-line telnet-like
> utilities that you can tell to start a SASL authentication on a
> connection.  I think Cyrus SASL comes with one of those, although it's
> been a long time since I've looked at them.  I don't remember what their
> limitations are.

Thanks.  I will have a look.


> SASL ANONYMOUS authenticates as the anonymous user.  It should be treated
> the same by INN as if the user hadn't authenticated at all, if we even
> support it.  We may want to filter it out of the list of supported
> authentication mechanisms.  See RFC 4505.

All right.  I see that there is the NOANONYMOUS keyword to use.
There previously was NOPLAINTEXT but RFC 4642 specifies that SASL PLAIN
should be provided if AUTHINFO USER is.  That is why I dropped it.
But SASL ANONYMOUS and SASL LOGIN were added at the same time.
Is SASL LOGIN still OK to use?

-- 
Julien ÉLIE

« On ne va jamais si loin que lorsque l'on ne sait pas où l'on va. » 



More information about the inn-workers mailing list