Bug#728332: plain/login authentication failure - no mechanism available
Andrei POPESCU
andreimpopescu at gmail.com
Sat Nov 2 14:59:47 UTC 2013
Control: reassign -1 libsasl2-2 2.1.25.dfsg1-6+deb7u1
On Mi, 30 oct 13, 20:58:16, Christian Schwamborn wrote:
> Package: libsasl2
> Version: 2.1.25.dfsg1-6+deb7u1
> Severity: important
>
> A quote from the upstream bugreport:
>
> Formerly (as of 2.1.23) SASL library did not care if there was no
> auxprop plugin set up/present, current (2.1.25) library _requires_
> the presence of properly comfigured and working auxprop plugin,
> making SASL usesless as an auth provider in daily operations.
>
> The following configuration works with cyrus-sasl 2.1.23 and fails
> miserably with "no mechs available" with cyrus-sasl 2.1.25:
>
> - run saslauthd with pam as an auth mechanism
> - run postfix (or any other daemon) with pwcheck_method set to saslauthd
>
> The root cause is the call to _sasl_auxprop_lookup_user_props that
> has been added to _sasl_canon_user(_lookup) which causes
> authentication to fail if no auxprop plugin in configured.
> <end of quote>
>
> This issue is known in the cyrus-sasl and ubuntu bugtracker aswell:
> https://bugzilla.cyrusimap.org/show_bug.cgi?id=3590
> https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/875440
>
> I attached the patch from revision d1b57852247641be30decc480b0719d322f0bc5c
>
> I hope this can be applied to wheeze, since it really breaks an easy
> mailserver setup.
>
> Cheers,
> Christian Schwamborn
> From d1b57852247641be30decc480b0719d322f0bc5c Mon Sep 17 00:00:00 2001
> From: Alexey Melnikov <alexey.melnikov at isode.com>
> Date: Thu, 19 Apr 2012 14:41:12 +0100
> Subject: Fixed PLAIN/LOGIN authentication failure when using saslauthd with
> no auxprop plugins
>
> PLAIN/LOGIN plugins should be able to work with no auxprop plugins configured,
> for example if they are using saslauthd. This patch fixes them to work
> in such configurations. In order to achieve this the following changes were
> made
>
> 1) SASL_NOMECH should be handled the same way as SASL_NOUSER while looking
> up auxprop properties.
> 2) SASL PLAIN/LOGIN should pass "this identity was verified externally"
> to auxprop lookup. This will prevent auxprop lookup from failing with
> SASL_NOMECH. Note that they verify user accounts using checkpass interface
> anyway.
>
> Cyrus SASL Bug # 3590
>
> Test-information:
> The following SASL plugins were tested:
> PLAIN, EXTERNAL, SCRAM-SHA-1, LOGIN (partially)
> They were tested with missing auxprop plugins and with a present one.
> ---
> include/sasl.h | 4 +++-
> lib/canonusr.c | 8 +++++---
> plugins/login.c | 6 ++++--
> plugins/plain.c | 2 +-
> 4 files changed, 13 insertions(+), 7 deletions(-)
>
> diff --git a/include/sasl.h b/include/sasl.h
> index 2ac5300..ed27104 100755
> --- a/include/sasl.h
> +++ b/include/sasl.h
> @@ -633,8 +633,10 @@ typedef int sasl_server_userdb_setpass_t(sasl_conn_t *conn,
> /* One of the following two is required */
> #define SASL_CU_AUTHID 0x01
> #define SASL_CU_AUTHZID 0x02
> +
> /* Combine the following with SASL_CU_AUTHID, if you don't want
> - to fail if auxprop returned SASL_NOUSER */
> + to fail if auxprop returned SASL_NOUSER/SASL_NOMECH.
> + This flag has no effect on SASL_CU_AUTHZID. */
> #define SASL_CU_EXTERNALLY_VERIFIED 0x04
>
> #define SASL_CU_OVERRIDE 0x08 /* mapped to SASL_AUXPROP_OVERRIDE */
> diff --git a/lib/canonusr.c b/lib/canonusr.c
> index 0049d13..faee103 100644
> --- a/lib/canonusr.c
> +++ b/lib/canonusr.c
> @@ -241,12 +241,14 @@ static int _sasl_auxprop_lookup_user_props (sasl_conn_t *conn,
> }
> }
>
> - if (result == SASL_NOUSER && (flags & SASL_CU_EXTERNALLY_VERIFIED)) {
> + if ((flags & SASL_CU_EXTERNALLY_VERIFIED) && (result == SASL_NOUSER || result == SASL_NOMECH)) {
> /* The called has explicitly told us that the authentication identity
> - was already verified. So a failure to retrieve any associated properties
> + was already verified or will be verified independently.
> + So a failure to retrieve any associated properties
> is not an error. For example the caller is using Kerberos to verify user,
> but the LDAPDB/SASLDB auxprop plugin doesn't contain any auxprops for
> - the user. */
> + the user.
> + Another case is PLAIN/LOGIN not using auxprop to verify user passwords. */
> result = SASL_OK;
> }
> }
> diff --git a/plugins/login.c b/plugins/login.c
> index ee44be6..f2a05ac 100644
> --- a/plugins/login.c
> +++ b/plugins/login.c
> @@ -179,9 +179,11 @@ static int login_server_mech_step(void *conn_context,
>
> /* canonicalize username first, so that password verification is
> * done against the canonical id */
> - result = params->canon_user(params->utils->conn, text->username,
> + result = params->canon_user(params->utils->conn,
> + text->username,
> text->username_len,
> - SASL_CU_AUTHID | SASL_CU_AUTHZID, oparams);
> + SASL_CU_AUTHID | SASL_CU_AUTHZID | SASL_CU_EXTERNALLY_VERIFIED,
> + oparams);
> if (result != SASL_OK) return result;
>
> /* verify_password - return sasl_ok on success */
> diff --git a/plugins/plain.c b/plugins/plain.c
> index ddbc1f8..e6180a1 100644
> --- a/plugins/plain.c
> +++ b/plugins/plain.c
> @@ -159,7 +159,7 @@ static int plain_server_mech_step(void *conn_context __attribute__((unused)),
> result = params->canon_user(params->utils->conn,
> authen,
> 0,
> - SASL_CU_AUTHID | canon_flags,
> + SASL_CU_AUTHID | canon_flags | SASL_CU_EXTERNALLY_VERIFIED,
> oparams);
> if (result != SASL_OK) {
> _plug_free_string(params->utils, &passcopy);
>
--
http://wiki.debian.org/FAQsFromDebianUser
Offtopic discussions among Debian users and developers:
http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic
http://nuvreauspam.ro/gpg-transition.txt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-cyrus-sasl2-debian-devel/attachments/20131102/74ccf56c/attachment.sig>
More information about the Pkg-cyrus-sasl2-debian-devel
mailing list