ietf-nntp Re: WG Review: Simple Authentication and Security
Layer (sasl)
Ken Murchison
ken at oceana.com
Mon Dec 9 17:31:19 PST 2002
Andrew Gierth wrote:
>
> >>>>> "Ken" == Ken Murchison <ken at oceana.com> writes:
>
> Ken> Unless I don't fully understand your problem, I don't see what
> Ken> this has to do with SASL.
>
> not to do with SASL as a framework, but with all the SASL schemes which
> I have reviewed (with the obvious exception of PLAIN), including those
> which have been suggested for "servers and clients MUST support ...".
>
> But it's clear you don't understand the problem, so I will give a
> detailed example.
>
> suppose user at example.com, whose password is 'foo123', connects to the
> server. At present, what happens is:
>
> client sends AUTHINFO USER user at example.com
> server remembers username, responds with 381
> client sends AUTHINFO PASS foo123
>
> at this point, the server consults its configuration to find the
> authentication method for 'example.com'; for example, this may specify
> a RADIUS server address and secret. The server then makes a RADIUS
> query, which it can easily do because it has both the username and
> password in hand. Note that the server does _not_ itself store _any_
> info about valid users in 'example.com', especially not their
> passwords.
>
> This obviously isn't possible using mechanisms like DIGEST-MD5,
> CRAM-MD5 or SRP, because all of those are based around the client
> _proving knowledge of the password_ rather than actually _sending_ the
> password. If the server does not have access to stored passwords, but
> only has access to a separate authentication mechanism that uses a
> _different_ protocol, then there is no way for the server to provide
> any of these methods.
Yes, this is a well known problem with infrastrctures which are based
around a plaintext methodology. I guess your alternatives are to switch
to something like Kereberos or try resurrecting Newman's DSS effort (or
something similar) ietf-sasl. If the WG likes the idea, I'll volunteer
to write the plugin for CMU SASL.
--
Kenneth Murchison Oceana Matrix Ltd.
Software Engineer 21 Princeton Place
716-662-8973 x26 Orchard Park, NY 14127
--PGP Public Key-- http://www.oceana.com/~ken/ksm.pgp
More information about the ietf-nntp
mailing list