On 26/08/11 15:10 +0000, Grant Delaney wrote:
Hi All
I have found an issue with saslauthd, it appears to let a user authenticate
with any password if the users password is blank in the /etc/shadow file on the
smtp service.
Environment:
Opensuse 11.4
rpm -qa cyrus-sasl
cyrus-sasl-2.1.23-15.1.x86_64
#/etc/sysconfig/saslauthd
SASLAUTHD_AUTHMECH=shadow
# id sasltest
uid=1001(sasltest) gid=100(users) groups=33(video),100(users)
# testsaslauthd -u sasltest -p test -s smtp
0: OK "Success."
# testsaslauthd -u sasltest -p wrongtest -s smtp
0: NO "authentication failed"
# grep sasltest /etc/shadow
sasltest:$2y$10$RlSnCi99SDDFguMNk.rhcurpXphwm.NA9121vnVFi5RqzgmruFKye:15212:0:99999:7:::
Now if I remove the password in the shadow file.
# grep sasltest /etc/shadow
sasltest::15212:0:99999:7:::
# testsaslauthd -u sasltest -p test -s smtp
0: OK "Success."
# testsaslauthd -u sasltest -p wrongtest -s smtp
0: OK "Success."
# testsaslauthd -u sasltest -p icanputanythingIwanthere -s smtp
0: OK "Success."
Is this the expected result when using shadow as the auth mech ?
I know the solution is not to use blank passwords, but I would expect it to
fail because you supplied a password when it does not have one or not allow a
blank password. Recently had a customer being used as a spam relay because of
this. I have already explained that blank passwords are a bad idea.
Regards
Grant
Grant Delaney
Linux Administrator III [experience Fanatical Support]
Tel: +442087342500
Fax: +44 20 8606 6110
Web: www.rackspace.co.uk<www.rackspace.co.ukhttp://www.rackspace.co.uk>
[Rackspace]
I can confirm this using a SASL CVS checkout from 2011-05-23 (I'm using a
Debian patched install).
The issue affects both the getpwent and shadow backends. I could not
trigger the problem using the pam backend. I have not tested any of the
other backends.
With an empty passwd in /etc/shadow (or /etc/passwd with the getpwent
backend), I cannot actually authenticate with a blank password:
testsaslauthd -u testuser -p ""
but any other password succeeds.
--
Dan White
