Re: Multiple-Mechanism Sample Code?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wed Jan  3 20:04:56 2007, Andreas Winkelmann wrote:

On Monday 18 December 2006 23:12, Alexey Melnikov wrote:
> The client starts iterating through the ordered list, starting from the > strongest mechanism. It tries the mechanism. If authentication succeeds 
> - success. If not, the client may retry the mechanism (e.g. if the
> server returned an indication that the password is incorrect) several > times, say 3 times. After that the client should move on to the next 
> strongest SASL mechanism and so on.

No, I would say this is a Security Risk and of course useless.



Almost...
If the Server offers DIGEST-MD5 and PLAIN. And the User/Client trys wrong Credentials, the Second try will pass in Cleartext the Internet. I would not like to see that if I just make a Typo in the Password, you?
Well, the client really ought to be warning about this, and checking with the user. Of course, this might need a new API/callback for Cyrus SASL, I can't recall. (All my Cyrus SASL usage is on the server, my client usage uses its own library, which does do warnings).
Oh and useless, because why should there be a difference between one of the Offered Mechanisms? If DIGEST-MD5 with one set of Credentials fails, why should it succeed with PLAIN? This is only the case with misconfigured Servers (Offering *-MD5 Mechanisms with saslauthd for example).
Ah... No, there's the transition case. For ACAP, for example, the attempt to authenticate with DIGEST-MD5 might yield a TRANSITION-NEEDED, but (all?) other protocols won't communicate that back to the client, so it's reasonable to try PLAIN.
PLAIN might work because SASL can pass the credentials onto the operating system's authentication method, whereas DIGEST-MD5 needs either a copy of the plaintext, or the intemediate hash, in which case that's per-user, not per-site. The simplest way of getting the data needed is to get the user to authenticate once using PLAIN, after which DIGEST-MD5 works. 

Dave.
--
Dave Cridland - mailto:dave@xxxxxxxxxxxx - xmpp:dwd@xxxxxxxxxx
 - acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
 - http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade
[Index of Archives]     [Info Cyrus]     [Squirrel Mail]     [Linux Media]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux