[KLUG Members] SASL

[Peter Buxton]

> http://www.sendmail.org/~ca/email/mel/SASL_ClientRef.html

Yeah, I found that, too.

> That lists SASL-compliant clients. When I go to those sites, I see
> little or no mention of SASL support.

No. Mutt, e.g., supports several authentication schemes (PLAIN,
DIGEST-MD5, GSSAPI). Your server uses SASL to negotiate one of those
schemes and uses SASL to run a PLAIN.plugin or CRAM-MD5.plugin to
authenticate the user.

Think:

Network Apps : SASL :: Local Apps : PAM

                   PAM   SASL
network-aware      no    yes
passes passwords
   in plaintext    yes   PLAIN, yes, all others, no

Since login(8) runs on your local box, no one cares if you give your
password  in clear. Over telnet, that's a little hairier: you should
compile in.telnetd with SASL and tell /etc/SASL.telnet (e.g.) not to
accept plain passwords. Then compile your telnet client to use CRAM-MD5,
say. Now your telnet connection still isn't encrypted, but your password
is authenticated without being passed in the clear.

(See the relevant RFC, Message Digest Authentication, about that secure
password-passing method.)

If Cyrus spoke PAM directly, I would have just used that, even though
*all* passwords would have been passed en clair unless over SSL/TLS. As it
is, Cyrus comes with SASL, but SASL speaks PAM, so I told Cyrus to
negotiate a PLAIN login anyway, pass that password to SASL's PLAIN.plugin,
and SASL authenticates against the system's PAM. (This was by far the
fastest (quick and dirty) way to do things.)

You have no idea how long it took me to figure that out. :-(

-- 
You can fill my head with Gummi Bears, but I
won't talk! -- Tom Servo, Satellite of Love