SASL testing
Julien ÉLIE
julien at trigofacile.com
Sun Sep 21 22:15:14 UTC 2008
Hi Russ,
>> As far as I understand in the code source, only a username can be passed
>> to AUTHINFO SASL and is then checked towards users: in access groups.
>
> Both the username and the password (or some equivalent thereof) are sent
> as part of the SASL protocol itself, so they aren't part of the NNTP
> command. The last argument to AUTHINFO SASL is not a username; it's the
> initial response, which may be required for some SASL protocols (and if so
> is usually some base64-encoded data).
Sure. My concern was not in fact for the initial response but for
the credentials provided during the SASL negotiation.
Because on success, we only have that:
/* Success. */
strlcpy(PERMuser, canon_user, sizeof(PERMuser));
PERMgetpermissions();
PERMneedauth = false;
PERMauthorized = true;
PERMcanauthenticate = false;
There is only PERMuser and the PERMgetpermissions() function only searches
for the right access group. I cannot find a moment where there is a change
of auth groups... That is why I do not see well how to use any password
provided durint the SASL negotiation.
> The best way to test SASL is to use one of the command-line telnet-like
> utilities that you can tell to start a SASL authentication on a
> connection. I think Cyrus SASL comes with one of those, although it's
> been a long time since I've looked at them. I don't remember what their
> limitations are.
Thanks. I will have a look.
> SASL ANONYMOUS authenticates as the anonymous user. It should be treated
> the same by INN as if the user hadn't authenticated at all, if we even
> support it. We may want to filter it out of the list of supported
> authentication mechanisms. See RFC 4505.
All right. I see that there is the NOANONYMOUS keyword to use.
There previously was NOPLAINTEXT but RFC 4642 specifies that SASL PLAIN
should be provided if AUTHINFO USER is. That is why I dropped it.
But SASL ANONYMOUS and SASL LOGIN were added at the same time.
Is SASL LOGIN still OK to use?
--
Julien ÉLIE
« On ne va jamais si loin que lorsque l'on ne sait pas où l'on va. »
More information about the inn-workers
mailing list