Re: Is a blank SASL password valid with PLAIN?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 07/29/15 14:51 -0400, Brian Bouterse wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

I've been doing some development on Kombu [0] which uses SASL to
authenticate against a Qpid message bus. In one specific case, when
Kombu makes a Qpid client connection it calls
establish(username='guest', password=''). establish() is part of the
Qpid client library [1]. In Python '' is an empty string which is
different than None the reserved keyword for empty (null).

At some point as establish calls into qpid.messaging ->
python-saslwrapper -> cyrus-sasl-lib/plain we are being prompted for a
password even though we specify password=''. Is password='' an invalid
value in the SASL PLAIN protocol, or is this just a bug in these
libraries that should be fixed?

We are running these sasl libraries:

cyrus-sasl-2.1.26-17.el7.x86_64
cyrus-sasl-md5-2.1.26-17.el7.x86_64
saslwrapper-0.22-5.el7sat.x86_64
cyrus-sasl-plain-2.1.26-17.el7.x86_64
cyrus-sasl-lib-2.1.26-17.el7.x86_64
python-saslwrapper-0.22-5.el7sat.x86_64

I can provide more info if that is helpful. I know this is a silly
thing to use SASL with an empty password but users are doing it and it
halts the process while waiting for input from a daemon process.
Thanks in advance.

Per RFC 4616 (SASL PLAIN), the password must be at least 1 non-null UTF-8
character. Presumably libsasl will continue to trigger a SASL_INTERACT
while there is no recognized password.

You're responsible for performing any necessary error checking within your
(Kombu's) code prior to that point. See:

http://www.cyrussasl.org/docs/cyrus-sasl/2.1.25/programming.php#callbacks_interactions

--
Dan White



[Index of Archives]     [Info Cyrus]     [Squirrel Mail]     [Linux Media]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux