[KLUG Members] SASL
Peter Buxton
members@kalamazoolinux.org
Wed, 16 Oct 2002 17:11:27 -0400 (EDT)
> http://www.sendmail.org/~ca/email/mel/SASL_ClientRef.html
Yeah, I found that, too.
> That lists SASL-compliant clients. When I go to those sites, I see
> little or no mention of SASL support.
No. Mutt, e.g., supports several authentication schemes (PLAIN,
DIGEST-MD5, GSSAPI). Your server uses SASL to negotiate one of those
schemes and uses SASL to run a PLAIN.plugin or CRAM-MD5.plugin to
authenticate the user.
Think:
Network Apps : SASL :: Local Apps : PAM
PAM SASL
network-aware no yes
passes passwords
in plaintext yes PLAIN, yes, all others, no
Since login(8) runs on your local box, no one cares if you give your
password in clear. Over telnet, that's a little hairier: you should
compile in.telnetd with SASL and tell /etc/SASL.telnet (e.g.) not to
accept plain passwords. Then compile your telnet client to use CRAM-MD5,
say. Now your telnet connection still isn't encrypted, but your password
is authenticated without being passed in the clear.
(See the relevant RFC, Message Digest Authentication, about that secure
password-passing method.)
If Cyrus spoke PAM directly, I would have just used that, even though
*all* passwords would have been passed en clair unless over SSL/TLS. As it
is, Cyrus comes with SASL, but SASL speaks PAM, so I told Cyrus to
negotiate a PLAIN login anyway, pass that password to SASL's PLAIN.plugin,
and SASL authenticates against the system's PAM. (This was by far the
fastest (quick and dirty) way to do things.)
You have no idea how long it took me to figure that out. :-(
--
You can fill my head with Gummi Bears, but I
won't talk! -- Tom Servo, Satellite of Love