RE: saslauthd + pam_mysql broken ?

From: Rob Siemborski (rjs3 at andrew dot cmu dot edu)
Date: Thu Mar 25 2004 - 16:19:42 EST

  • Next message: Michael Loftis: "SASL bug?"

    On Thu, 25 Mar 2004, Howard Chu wrote:

    > >I believe this is compliant with the specification, even if it means that
    > the
    > >realm= parameter ot the digest-response (and digest-challenge) is basicly
    > >useless. This makes DIGEST-MD5 consistant with every other mechanism (yes,
    > >KERBEROS_V4 and GSSAPI have a slightly different concept, but the execution
    > in
    > >this case is the same -- split at the @ sign). It also allows *all*
    > mechanims
    > >to support realms.
    > Rendering the DIGEST-MD5 "realm" parameter useless does not seem like a
    > positive thing to do. If it is truly useless, it shouldn't have been in the
    > spec. Since it is in the spec, there is probably an implementation out there
    > that depends on using it, and Cyrus' behavior will interfere with
    > interoperability in that case.

    We still use the realm paramater, it's just basicly functionless. No
    other implementation should break against it -- if they supply a realm
    other than the one we advertise, they lose (as they know they can).
    Likewise, the client side of our application will work properly with the
    GETREALM callback/interaction.

    > >I can also understand an argument that we should be disallowing user_realm
    > >values with an '@' sign.
    > And this also contradicts the spec that explicitly states that '@' is a valid
    > character in a realm name. Once again, taking this position will break
    > interoperability.

    How, exactly? If we are the client, nothing will ever break (since the
    client side deals with either username at realm for the authnid, and also
    enables the caller to pass a realm name. On the server side, we
    define the realm= pareameter to be the FQDN of the server (as it is
    the right of the server to do). We then accept authnids whose format is
    defined to be username at somedomain, which, internally, we treat as the
    "realm". What the application sees as realm and what is on the wire as
    the digest-md5 realm parameter have *nothing* to do with eachother.


    Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456
    Research Systems Programmer * /usr/contributed Gatekeeper

  • Next message: Michael Loftis: "SASL bug?"

    Hosted Email Solutions

    Invaluement Anti-Spam DNSBLs

    Powered By FreeBSD   Powered By FreeBSD