Bug#728332: plain/login authentication failure - no mechanism available

Christian Schwamborn Wed, 30 Oct 2013 13:09:35 -0700

Package: libsasl2
Version: 2.1.25.dfsg1-6+deb7u1
Severity: important


A quote from the upstream bugreport:

Formerly (as of 2.1.23) SASL library did not care if there was noauxprop plugin set up/present, current (2.1.25) library _requires_ thepresence of properly comfigured and working auxprop plugin, making SASLusesless as an auth provider in daily operations.

The following configuration works with cyrus-sasl 2.1.23 and failsmiserably with "no mechs available" with cyrus-sasl 2.1.25:


- run saslauthd with pam as an auth mechanism
- run postfix (or any other daemon) with pwcheck_method set to saslauthd

The root cause is the call to _sasl_auxprop_lookup_user_props that hasbeen added to _sasl_canon_user(_lookup) which causes authentication tofail if no auxprop plugin in configured.

<end of quote>

This issue is known in the cyrus-sasl and ubuntu bugtracker aswell:
https://bugzilla.cyrusimap.org/show_bug.cgi?id=3590
https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/875440

I attached the patch from revision d1b57852247641be30decc480b0719d322f0bc5c

I hope this can be applied to wheeze, since it really breaks an easymailserver setup.


Cheers,
Christian Schwamborn

>From d1b57852247641be30decc480b0719d322f0bc5c Mon Sep 17 00:00:00 2001
From: Alexey Melnikov <alexey.melni...@isode.com>
Date: Thu, 19 Apr 2012 14:41:12 +0100
Subject: Fixed PLAIN/LOGIN authentication failure when using saslauthd with
 no auxprop plugins

PLAIN/LOGIN plugins should be able to work with no auxprop plugins configured,
for example if they are using saslauthd. This patch fixes them to work
in such configurations. In order to achieve this the following changes were
made

 1) SASL_NOMECH should be handled the same way as SASL_NOUSER while looking
    up auxprop properties.
 2) SASL PLAIN/LOGIN should pass "this identity was verified externally"
    to auxprop lookup. This will prevent auxprop lookup from failing with
    SASL_NOMECH. Note that they verify user accounts using checkpass interface
    anyway.

Cyrus SASL Bug # 3590

Test-information:
 The following SASL plugins were tested:
  PLAIN, EXTERNAL, SCRAM-SHA-1, LOGIN (partially)
 They were tested with missing auxprop plugins and with a present one.
---
 include/sasl.h  |    4 +++-
 lib/canonusr.c  |    8 +++++---
 plugins/login.c |    6 ++++--
 plugins/plain.c |    2 +-
 4 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/include/sasl.h b/include/sasl.h
index 2ac5300..ed27104 100755
--- a/include/sasl.h
+++ b/include/sasl.h
@@ -633,8 +633,10 @@ typedef int sasl_server_userdb_setpass_t(sasl_conn_t *conn,
 /* One of the following two is required */
 #define SASL_CU_AUTHID  0x01
 #define SASL_CU_AUTHZID 0x02
+
 /* Combine the following with SASL_CU_AUTHID, if you don't want
-   to fail if auxprop returned SASL_NOUSER */
+   to fail if auxprop returned SASL_NOUSER/SASL_NOMECH.
+   This flag has no effect on SASL_CU_AUTHZID. */
 #define SASL_CU_EXTERNALLY_VERIFIED 0x04
 
 #define SASL_CU_OVERRIDE	    0x08    /* mapped to SASL_AUXPROP_OVERRIDE */
diff --git a/lib/canonusr.c b/lib/canonusr.c
index 0049d13..faee103 100644
--- a/lib/canonusr.c
+++ b/lib/canonusr.c
@@ -241,12 +241,14 @@ static int _sasl_auxprop_lookup_user_props (sasl_conn_t *conn,
 	    }
 	}
 
-	if (result == SASL_NOUSER && (flags & SASL_CU_EXTERNALLY_VERIFIED)) {
+	if ((flags & SASL_CU_EXTERNALLY_VERIFIED) && (result == SASL_NOUSER || result == SASL_NOMECH)) {
 	    /* The called has explicitly told us that the authentication identity
-	       was already verified. So a failure to retrieve any associated properties
+	       was already verified or will be verified independently.
+	       So a failure to retrieve any associated properties
 	       is not an error. For example the caller is using Kerberos to verify user,
 	       but the LDAPDB/SASLDB auxprop plugin doesn't contain any auxprops for
-	       the user. */
+	       the user.
+	       Another case is PLAIN/LOGIN not using auxprop to verify user passwords. */
 	    result = SASL_OK;
 	}	
     }
diff --git a/plugins/login.c b/plugins/login.c
index ee44be6..f2a05ac 100644
--- a/plugins/login.c
+++ b/plugins/login.c
@@ -179,9 +179,11 @@ static int login_server_mech_step(void *conn_context,
 
 	/* canonicalize username first, so that password verification is
 	 * done against the canonical id */
-	result = params->canon_user(params->utils->conn, text->username,
+	result = params->canon_user(params->utils->conn,
+				    text->username,
 				    text->username_len,
-				    SASL_CU_AUTHID | SASL_CU_AUTHZID, oparams);
+				    SASL_CU_AUTHID | SASL_CU_AUTHZID | SASL_CU_EXTERNALLY_VERIFIED,
+				    oparams);
 	if (result != SASL_OK) return result;
 	
 	/* verify_password - return sasl_ok on success */
diff --git a/plugins/plain.c b/plugins/plain.c
index ddbc1f8..e6180a1 100644
--- a/plugins/plain.c
+++ b/plugins/plain.c
@@ -159,7 +159,7 @@ static int plain_server_mech_step(void *conn_context __attribute__((unused)),
     result = params->canon_user(params->utils->conn,
 				authen,
 				0,
-				SASL_CU_AUTHID | canon_flags,
+				SASL_CU_AUTHID | canon_flags | SASL_CU_EXTERNALLY_VERIFIED,
 				oparams);
     if (result != SASL_OK) {
 	_plug_free_string(params->utils, &passcopy);

Bug#728332: plain/login authentication failure - no mechanism available

Reply via email to