bug-mailutils
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug-mailutils] mu_authenticate?

From: Simon Josefsson
Subject: [bug-mailutils] mu_authenticate?
Date: Fri, 25 Sep 2009 09:16:55 +0200
User-agent: Gnus/5.110011 (No Gnus v0.11) Emacs/23.1 (gnu/linux) 
Thanks for pushing the earlier fixes, things appears to work better now.

I'm able to successfully login using CRAM-MD5, DIGEST-MD5 and
SCRAM-SHA-1.  However I cannot login using LOGIN/PLAIN.  The reason is
that the former mechanisms use the GSASL_AUTHID/PASSWORDS callbacks to
get the username/password and makes the authentication decision inside
GNU SASL, but the latter two mechanisms use the GSASL_VALIDATE_SIMPLE
callback to make the authentication decision in Mailutils.  Mailutil's
GSASL_VALIDATE_SIMPLE callback is imap4d/auth_gsasl.c:cb_validate that
does:

  auth = mu_get_auth_by_name (*username);

  if (auth == NULL)
    return GSASL_AUTHENTICATION_ERROR;

  rc = mu_authenticate (auth, pass);
  mu_auth_data_free (auth);

  return rc == 0 ? GSASL_OK : GSASL_AUTHENTICATION_ERROR;

This fails with the errors below in syslog, most likely because I have
not configured authentication modules properly.

What is the purpose of the code?  Is the intention that it MUST be run
for every user regardless of authentication method?  If so, the code
needs to be moved to the auth_gsasl function to make sure it is run for
all mechanisms (however it could not work if in the future support for
hashed passwords are added).  If not, it would make sense to make the
cb_validate function look for passwords in the cram-passwd file and SQL
database too before using mu_authenticate.

I see the same problem in imap4d/auth_gss.c: there are no calls to
mu_authenticate in that file.

I suspect (hope) that mu_authenticate need not be called for all users
unconditionally, and in that case, the patch below makes LOGIN/PLAIN
work for passwords stored in cram-passwd and SQL format.

Btw, the name of cram-passwd is a bit wrong now that it is also used for
non-CRAM mechanisms.  I'm not sure it is worthwhile to rename it.

Btw^2, maybe a cleaner approach is to add a function mu_gsasl_getpass,
similar to mu_sql_getpass and use that?  I don't fully understand the
libmu_auth stuff.

/Simon

diff --git a/imap4d/auth_gsasl.c b/imap4d/auth_gsasl.c
index d04ba28..02dd710 100644
--- a/imap4d/auth_gsasl.c
+++ b/imap4d/auth_gsasl.c
@@ -237,6 +237,37 @@ cb_validate (Gsasl *ctx, Gsasl_session *sctx)
   
   *username = strdup (authid);
   
+  if (mu_gsasl_module_data.cram_md5_pwd
+      && access (mu_gsasl_module_data.cram_md5_pwd, R_OK) == 0)
+    {
+      char *key;
+      int rc = gsasl_simple_getpass (mu_gsasl_module_data.cram_md5_pwd,
+                                    authid, &key);
+      if (rc == GSASL_OK)
+       {
+         mu_diag_output (MU_DIAG_NOTICE, "ok");
+         rc = strcmp (pass, key) == 0 ? GSASL_OK
+           : GSASL_AUTHENTICATION_ERROR;
+         free (key);
+         return rc;
+       }
+    }
+
+#ifdef USE_SQL
+  if (mu_sql_module_config.password_type == password_plaintext)
+    {
+      char *passwd;
+      int status = mu_sql_getpass (*username, &passwd);
+      if (status == 0)
+       {
+         rc = strcmp (pass, passwd) == 0 ? GSASL_OK
+           : GSASL_AUTHENTICATION_ERROR;
+         free (passwd);
+         return rc;
+       }
+    }
+#endif
+
   auth = mu_get_auth_by_name (*username);
 
   if (auth == NULL)

Sep 25 08:46:38 mocca imap4d[12379]: Getting auth info for user user 
Sep 25 08:46:38 mocca imap4d[12379]: Trying generic...result: 38=Function not 
implemented 
Sep 25 08:46:38 mocca imap4d[12379]: Trying system...result: 0=Success 
Sep 25 08:46:38 mocca imap4d[12379]: source=system, name=user, passwd=x, 
uid=1007, gid=1008, gecos=,,,, dir=/home/user, shell=/bin/bash, 
mailbox=/var/mail/user, quota=0, change_uid=1 
Sep 25 08:46:38 mocca imap4d[12379]: mu_authenticate, user user, source system 
Sep 25 08:46:38 mocca imap4d[12379]: Trying generic...result: 
4129=Authentication failed 
Sep 25 08:46:38 mocca imap4d[12379]: Trying system...result: 
4129=Authentication failed 
Sep 25 08:46:38 mocca imap4d[12379]: Getting auth info for user user 
Sep 25 08:46:38 mocca imap4d[12379]: Trying generic...result: 38=Function not 
implemented 
Sep 25 08:46:38 mocca imap4d[12379]: Trying system...result: 0=Success 
Sep 25 08:46:38 mocca imap4d[12379]: source=system, name=user, passwd=x, 
uid=1007, gid=1008, gecos=,,,, dir=/home/user, shell=/bin/bash, 
mailbox=/var/mail/user, quota=0, change_uid=1 
Sep 25 08:46:38 mocca imap4d[12379]: mu_authenticate, user user, source system 
Sep 25 08:46:38 mocca imap4d[12379]: Trying generic...result: 
4129=Authentication failed 
Sep 25 08:46:38 mocca imap4d[12379]: Trying system...result: 
4129=Authentication failed 
Sep 25 08:46:40 mocca imap4d[12379]: Trying pam...result: 4129=Authentication 
failed 
Sep 25 08:46:40 mocca imap4d[12379]: Trying sql...result: 38=Function not 
implemented 
Sep 25 08:46:40 mocca imap4d[12379]: Trying virtdomain...result: 38=Function 
not implemented 
Sep 25 08:46:40 mocca imap4d[12379]: Trying radius...result: 38=Function not 
implemented 
Sep 25 08:46:40 mocca imap4d[12379]: Trying ldap...result: 4129=Authentication 
failed 
Sep 25 08:46:40 mocca imap4d[12379]: GSASL error: Error authenticating user
Sep 25 08:46:40 mocca imap4d[12379]: Trying pam...result: 4129=Authentication 
failed 
Sep 25 08:46:40 mocca imap4d[12379]: Trying sql...result: 38=Function not 
implemented 
Sep 25 08:46:40 mocca imap4d[12379]: Trying virtdomain...result: 38=Function 
not implemented 
Sep 25 08:46:40 mocca imap4d[12379]: Trying radius...result: 38=Function not 
implemented 
Sep 25 08:46:40 mocca imap4d[12379]: Trying ldap...result: 4129=Authentication 
failed 
Sep 25 08:46:40 mocca imap4d[12379]: GSASL error: Error authenticating user
reply via email to
[Prev in Thread] Current Thread [Next in Thread]