SASL support in INN 2.5.0

Julien ÉLIE julien at trigofacile.com
Thu Jun 25 19:39:28 UTC 2009


Hi all,

Another problem with SASL is that it cannot be disabled in INN 2.5.0.
When compiled with SASL support, AUTHINFO SASL is advertised and
it cannot be changed.

Consider for instance the Debian package which has SASL support.
A news client will see AUTHINFO SASL and try to authenticate with
AUTHINFO SASL PLAIN <base64-string>.  Then the news server will
probably answer that the authentication has failed.  (I assume it
was not configured.)  And the news client will *not* try the
legacy AUTHINFO USER/PASS.  Therefore, it will be impossible for
it to authenticate properly...

That's why I had imagined to have an sasl_auth: parameter in readers.conf
auth blocks.  If set to true, then an AUTHINFO SASL request will
match this block if successful.

AUTHINFO SASL would not be advertised if there is no "sasl_auth: true"
in readers.conf.


Besides, the use of sasl_auth: would fix several other issues like
the fact that AUTHINFO SASL currently does not work when there is
a key: parameter, that no auth block is matched, etc.

require_ssl: can then be used to require a negotiation of a secure
SASL layer (the auth block will match or not depending on it).


If there is a perl_auth:, python_auth: or auth: parameter along with
"sasl_auth: true", they will not be checked if AUTHINFO SASL is used
(there might be no password with AUTHINFO SASL).


Any thoughts about that?  Other suggestions?

-- 
Julien ÉLIE

« Je suis adroit de la main gauche et je suis gauche
  de la main droite. » (Raymond Devos)




More information about the inn-workers mailing list