On Thu, 30 Oct 2003, Nikola Milutinovic wrote: > SASL provides an interface for applications - servers and clients - to perform > authentication, using more or less secure mechanisms. Among some popular servers > that you neglected to mention is Sendmail (a veteran in that field).
You may want to read doc/components.html (available atleast in 2.1.16). > Authentication mechanisms can be one of these: > > - PLAIN > - CRAM-MD5 > - DIGETS-MD5 > - KERBEROS_IV > - GSSAPI > - EXTERNAL > > PLAIN > ----- > > Plain uses Base64 encoding for UserID/secret pair, which means it is unsecure > and has SSF (Security Strength Factor) of 0. Now, what is the UserID/Pass pair > compared against? It doesn't uses base64 encoding plain is <authid>\0<authzid>\0<password>. The base64 encoding is a side-effect of the application-level sasl encoding. > There are several "internal" SASL mechanisms which can check user/pass pair: > > - AUXPROP SASL-DB (user/pass is stored in /etc/sasldb2) > - AUXPROP SQL (user/pass is stored in MySQL, PostgreSQL or Oracle) > - SASLAUTHD (external process "sasl authentication daemon" is used) > > SASLAuthD can check user/pass against a number of sources, like PAM, LDAP, NIS, > Kerberos4/5, SASL-DB,... The auxprop mechanisms don't "check" a password, they supply one for the mechanism to do verification with. > These mechanisms use MD5 check-sums to enhance the privacy of authentication. > CRAM-MD5 is obsolete and you should use DIGEST-MD5. These mechanisms both rely > on a "shared secret" being stored on the server, because that is used as a key > for MD5 (or is it salt? - I'm not an expert on this). The storage is ALWAYS > /etc/sasldb2 (is there a plan for SQL plugin?). There is currently a plugin for SQL. Also there are third-party ldap plugins available. > EXTERNAL > -------- > > This is actually SSL/TLS - public key cryptography. It can act as a "wrapper" > for any other SASL mechanism. For instance, I use TLS+plaintext on my Cyrus IMAP > and MS Outlook Express, Mozilla Mail, Opera Mail and Netscape Messenger. EXTERNAL isn't "actually SSL/TLS", it is a way for an authorization ID to be supplied when the connection is authenticated using a non-SASL mechanism (for example, connectkion to a unix socket). SSL/TLS is simply one of those methods that can provide outside authentication. -Rob -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456 Research Systems Programmer * /usr/contributed Gatekeeper
