SASL testing

Russ Allbery rra at stanford.edu
Mon Sep 22 18:22:22 UTC 2008


Julien ÉLIE <julien at trigofacile.com> writes:

> Sure.  My concern was not in fact for the initial response but for
> the credentials provided during the SASL negotiation.
>
> Because on success, we only have that:
>
>        /* Success. */
>        strlcpy(PERMuser, canon_user, sizeof(PERMuser));
>        PERMgetpermissions();
>        PERMneedauth = false;
>        PERMauthorized = true;
>        PERMcanauthenticate = false;
>
> There is only PERMuser and the PERMgetpermissions() function only searches
> for the right access group.  I cannot find a moment where there is a change
> of auth groups...  That is why I do not see well how to use any password
> provided durint the SASL negotiation.

Oh!  I see what you're saying.  Yes, you don't get the credentials the
user gave during SASL.  The SASL library handles the authentication for
you and just tells you what user they authenticated as at the end.  So you
can't use any authentication system internal to INN in combination with
SASL.

(For some SASL authentication methods, such as GSSAPI, the user never sent
you anything even like a password but did something more complex.)

>> SASL ANONYMOUS authenticates as the anonymous user.  It should be
>> treated the same by INN as if the user hadn't authenticated at all, if
>> we even support it.  We may want to filter it out of the list of
>> supported authentication mechanisms.  See RFC 4505.
>
> All right.  I see that there is the NOANONYMOUS keyword to use.  There
> previously was NOPLAINTEXT but RFC 4642 specifies that SASL PLAIN should
> be provided if AUTHINFO USER is.  That is why I dropped it.  But SASL
> ANONYMOUS and SASL LOGIN were added at the same time.  Is SASL LOGIN
> still OK to use?

SASL LOGIN is obsolete in favor of SASL PLAIN.  They're basically
equivalent in capabilities.  See:

    http://tools.ietf.org/html/draft-murchison-sasl-login-00

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>

    Please send questions to the list rather than mailing me directly.
     <http://www.eyrie.org/~eagle/faqs/questions.html> explains why.


More information about the inn-workers mailing list