Subject: Re: sasl and --disable-login
To: Johnny C. Lam <jlam@netbsd.org>
From: Andrew Brown <atatat@atatdot.net>
List: tech-pkg
Date: 03/19/2003 14:10:11
>> i note, with trepidation, that the cyrus-sasl packages are configured
>> with --disable-login. while i understand that the login protocol is
>> alomost completely worthless from a security standpoint, it is however
>> the only means that programs like outlook will use to authenticate to
>> an smtp server that offers authentication (eg the postfix package).
>>
>[snip]
>>
>> maybe i should just enable the login method...
>
>My memory about Cyrus SASL is a bit fuzzy, but I that if the LOGIN
>authentication plugin is installed, then when the SASL negotiation step
>occurs to discover a common authentication mechanism, the server doesn't
>advertise that it can do LOGIN, but it will accept it if the client asks
>for it explicitly. To me, this sounds like security through obscurity.
>Also from what I remember about Cyrus SASL, there is no global
>configuration file to specify which authentication mechanisms are allowed
>or disallowed; it's merely a matter of which plugins are available in
>${PREFIX}/lib/sasl. I think we can just build the LOGIN plugin separately
>from the rest of Cyrus SASL in another package, e.g. cy-login or
>cyrus-sasl-login, so that normal users of SASL aren't hobbled by a bad
>authentication mechanism while users that need it can just install a
>separate package for the extra functionality.
for smtp (via postfix, at least) it ends up looking like this:
# telnet smtp 25
Trying 13.166.0.84...
Connected to smtp.
Escape character is '^]'.
220 smtp ESMTP Postfix
ehlo localhost
250-smtp
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH LOGIN PLAIN DIGEST-MD5 CRAM-MD5
250-AUTH=LOGIN PLAIN DIGEST-MD5 CRAM-MD5
250 8BITMIME
quit
221 Bye
Connection closed by foreign host.
#
and cyrus's imap seems to say "LOGINDISABLED" in the capabilities list
(but i don't want it there, so that's fine) though i can't recall if
that was there or not before.
--
|-----< "CODE WARRIOR" >-----|
codewarrior@daemon.org * "ah! i see you have the internet
twofsonet@graffiti.com (Andrew Brown) that goes *ping*!"
werdna@squooshy.com * "information is power -- share the wealth."