require_ssl with SASL secure layers

Julien ÉLIE julien at
Sat Jun 20 18:14:47 UTC 2009

Hi all,

> I think we could rename the require_ssl: parameter in readers.conf
> to something like require_encryption: in order to take into account
> both a successful STARTTLS command (or "nnrpd -S") and a successful
> AUTHINFO SASL with a negotiation of a secure layer.

I am facing a problem with that.
AUTHINFO SASL is a bit magical and does not use auth groups...

What I manage to do is when every auth group has require_ssl: set to
true, we prevent people from using AUTHINFO SASL PLAIN/LOGIN/EXTERNAL,
as well as AUTHINFO USER/PASS.  (This behaviour was previously only
done with TLS support because require_ssl: was valid only when compiled
with --with-openssl.)

But afterwards, I don't always have the possibility to associate an access
group with encryption required.

auth1 {
  key: "1"
  require_ssl: true

auth2 {
  require_ssl: false

access1 {
  key: "1"
  post: "*"

access2 {
  read: "*"

If AUTHINFO SASL negotiates a security layer, the user cannot use access1
because there is a key and AUTHINFO SASL did not bind to any auth group...
It will bind to access2.

This key: problem is generic in our SASL implementation with readers.conf;
it does not depend on require_ssl: and I do not know well how to handle that.

Something is missing in our SASL implementation...  Maybe a sasl_auth:
parameter in an auth group?  And the first one that matches will be used?
This parameter would be true/false.  (Or another name like sasl_allowed:
or... a list as Jeff suggested "*", "!*", "*,!LOGIN", "CRAM-MD5,OTP"...)
The default would be "*".
At the same time, while parsing auth groups after authentication, we can
see whether a secure layer has been negotiated and decide to keep or not
the auth group, etc.

Any thoughts about that?  Other suggestions?

Julien ÉLIE

« Quand tu auras lu ces lignes, le papyrus s'autodétruira. » (Astérix) 

More information about the inn-workers mailing list