Re: sasl_pwcheck_method
At Tue, 09 Jun 2009 01:19:49 +0200, li...@oliver-block.eu wrote: Subject: Re: Re: sasl_pwcheck_method Dan White schrieb: When authenticating via CRAM-MD5, the pwcheck_method will be ignored. Your chosen pwcheck_method should only be referenced when authenticating via a 'plaintext' authentication mechanism - LOGIN or PLAIN. Good to know. I must have omitted this part of the manual.:-) The fact that mtest attempted to authenticate via CRAM-MD5 probably means that you are advertising CRAM-MD5 support within imapd.conf. Actually cyrus seems to do that by his own!? Adding sasl_mech_list: PLAIN LOGIN to imapd.conf stops advertising it. I've had the following in my template imapd.conf file for years now: # Use these SASL authentication mechanisms. # # Don't use CRAM-MD5 or DIGEST-MD5 if you don't have a local sasldb # and you start saslauthd with -a getpwent # # Don't use OTP or ANONYMOUS unless you really need them -- it causes some # clients to prefer it, such as cyradm. # # Don't put PLAIN before LOGIN -- it buggers Mozilla. # sasl_mech_list: LOGIN PLAIN I'm not sure why Mozilla was confused, or whether current versions would still be confused, but suffice it to say that no current clients I've encountered in relatively large user populations have had problems with the order being LOGIN PLAIN. -- Greg A. Woods +1 416 218-0098VE3TCP RoboHack wo...@robohack.ca Planix, Inc. wo...@planix.com Secrets of the Weird wo...@weird.com Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
sasl_pwcheck_method
Hello everybody, I configured cyrus imapd on a Opensuse 11 machine following the recommedation in a README file. Now I discovered the following - for me odd behavior - which might depend on a misconfiguration. /etc/imap.conf: sasl_pwcheck_method: saslauthd /etc/sysconfig/saslauthd: SASLAUTHD_AUTHMECH=pam If a user logs into cyrus (I used mtest from uw-imap because of it's debug messages) it takes 4 trials (3 with CRAM-MD5 and a final with plain password) before the login succeeds. By chance I've found a tutorial which recommends adding a user to sasldb2. I tried that and without any additional changes to the configuration the first login attempt succeeds. I wonder if someone could tell me 1. Why did it take 4 attempts using the system credentials 2. Why did it succeed with one attempts after a user with the same username and different password was added to sasldb2 3. Why did the sasldb2 approach succedd at all without any configuration changes. Your help is appreciated. Best Regards, Oliver Block Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: sasl_pwcheck_method
li...@oliver-block.eu wrote: Hello everybody, I configured cyrus imapd on a Opensuse 11 machine following the recommedation in a README file. Now I discovered the following - for me odd behavior - which might depend on a misconfiguration. /etc/imap.conf: sasl_pwcheck_method: saslauthd /etc/sysconfig/saslauthd: SASLAUTHD_AUTHMECH=pam If a user logs into cyrus (I used mtest from uw-imap because of it's debug messages) it takes 4 trials (3 with CRAM-MD5 and a final with plain password) before the login succeeds. By chance I've found a tutorial which recommends adding a user to sasldb2. I tried that and without any additional changes to the configuration the first login attempt succeeds. I wonder if someone could tell me 1. Why did it take 4 attempts using the system credentials 2. Why did it succeed with one attempts after a user with the same username and different password was added to sasldb2 3. Why did the sasldb2 approach succedd at all without any configuration changes. When authenticating via CRAM-MD5, the pwcheck_method will be ignored. Your chosen pwcheck_method should only be referenced when authenticating via a 'plaintext' authentication mechanism - LOGIN or PLAIN. The fact that mtest attempted to authenticate via CRAM-MD5 probably means that you are advertising CRAM-MD5 support within imapd.conf. When authenticating via a mechanism which utilizes a shared secret, such as CRAM-MD5, your auxprop configuration will be used (sasl_auxprop_plugin). The default auxprop plugin is sasldb. If you are advertising CRAM-MD5 support in /etc/imapd.conf, but do not have the user configured in an auxprop store, then CRAM-MD5 should always fail. 1. Why did it take 4 attempts using the system credentials mtest is probably falling back to PLAIN after 3 unsuccessful CRAM-MD5 login attempts. 2. Why did it succeed with one attempts after a user with the same username and different password was added to sasldb2 3. Why did the sasldb2 approach succedd at all without any configuration changes. Because adding the user to your (default) auxprop store allowed CRAM-MD5 to succeed. If you are planning to support CRAM-MD5, you'll want to use: sasl_pwcheck_method: auxprop which will provide some consistency between PLAIN logins and CRAM-MD5 logins. It will not allow you to use PAM and you'll need to configure your users in /etc/sasldb2. If you don't care about supporting CRAM-MD5, then remove it from your 'sasl_mech_list', and you can stick with saslauthd and PAM. - Dan Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Re: sasl_pwcheck_method
Dan White schrieb: When authenticating via CRAM-MD5, the pwcheck_method will be ignored. Your chosen pwcheck_method should only be referenced when authenticating via a 'plaintext' authentication mechanism - LOGIN or PLAIN. Good to know. I must have omitted this part of the manual.:-) The fact that mtest attempted to authenticate via CRAM-MD5 probably means that you are advertising CRAM-MD5 support within imapd.conf. Actually cyrus seems to do that by his own!? Adding sasl_mech_list: PLAIN LOGIN to imapd.conf stops advertising it. As cyrus on this server will only be used by system users and with a secure connection, I think I will use it with PLAIN and pam. Thanks for help. Best Regards, Oliver Block Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: sasl_pwcheck_method: alwaystrue
It's not removed, its just not compiled in by default. You need to compile sasl with --enable-alwaystrue -Rob On Wed, 13 Nov 2002 [EMAIL PROTECTED] wrote: Hello, I can't remember who but someone told me that there was an option for sasl_pwcheck_method called alwaystrue which would bypass the user's password, now I have tryed that but it looks like this doesn't exist as I can't see anything mentioning that and when I try it I see the the Cyrus log file: Nov 13 22:08:31 mail pop3d[331]: [ID 702911 auth.error] unknown password verifier So did someone lie to me maybe ? Or was it maybe removed ? Regards Marc -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456 Research Systems Programmer * /usr/contributed Gatekeeper
sasl_pwcheck_method: auxprop
Hi, I have just upgraded to latest CVS SASL and IMAPD (2.2 branch). Now, when I try to authenticate through cyradm or pop3 or imap using sasl_pwcheck_method: auxprop in imapd.conf, I can not authenticate and I get this into auth log: Sep 30 11:12:34 auth:debug imap: imap[32561]: could not find auxprop plugin, was searching for \'[all]\' Sep 30 11:12:34 auth:debug imap: imap[32561]: could not find auxprop plugin, was searching for \'[all]\' I'm using DB4.0 and all libs seem to be linked right: ldd /usr/cyrus/bin/imapd libsasl2.so.2 = /usr/include/db4/lib/libsasl2.so.2 (0x40016000) libssl.so.0.9.6 = /usr/include/db4/lib/libssl.so.0.9.6 (0x40029000) libcrypto.so.0.9.6 = /usr/include/db4/lib/libcrypto.so.0.9.6 (0x40056000) libdb-4.0.so = /usr/include/db4/lib/libdb-4.0.so (0x40114000) libresolv.so.2 = /lib/libresolv.so.2 (0x401a3000) libcom_err.so.2 = /lib/libcom_err.so.2 (0x401b4000) libc.so.6 = /lib/libc.so.6 (0x401b7000) libdl.so.2 = /lib/libdl.so.2 (0x402e8000) /lib/ld-linux.so.2 = /lib/ld-linux.so.2 (0x4000) sasl plugins are into /usr/lib/sasl2 /usr/include/db4/lib is a symlink to /usr/lib (as db4 libs are there) SASLDB seems to work, as saslpasswd2 and sasldblistusers2 work: sasldblistusers2 mailadmin@atlas: userPassword ls -al /usr/lib/sasl2/ total 264 drwxr-xr-x2 root root 4096 Sep 30 02:00 . drwxr-xr-x 41 root root12288 Sep 30 11:00 .. -rw-r--r--1 root root11780 Sep 30 02:00 libanonymous.a -rwxr-xr-x1 root root 724 Sep 30 02:00 libanonymous.la lrwxrwxrwx1 root root 21 Sep 30 02:00 libanonymous.so - libanonymous.so.2.0.7 lrwxrwxrwx1 root root 21 Sep 30 02:00 libanonymous.so.2 - libanonymous.so.2.0.7 -rwxr-xr-x1 root root15478 Sep 30 02:00 libanonymous.so.2.0.7 -rw-r--r--1 root root14390 Sep 30 02:00 libcrammd5.a -rwxr-xr-x1 root root 710 Sep 30 02:00 libcrammd5.la lrwxrwxrwx1 root root 19 Sep 30 02:00 libcrammd5.so - libcrammd5.so.2.0.7 lrwxrwxrwx1 root root 19 Sep 30 02:00 libcrammd5.so.2 - libcrammd5.so.2.0.7 -rwxr-xr-x1 root root18443 Sep 30 02:00 libcrammd5.so.2.0.7 -rw-r--r--1 root root46230 Sep 30 02:00 libdigestmd5.a -rwxr-xr-x1 root root 742 Sep 30 02:00 libdigestmd5.la lrwxrwxrwx1 root root 21 Sep 30 02:00 libdigestmd5.so - libdigestmd5.so.2.0.7 lrwxrwxrwx1 root root 21 Sep 30 02:00 libdigestmd5.so.2 - libdigestmd5.so.2.0.7 -rwxr-xr-x1 root root47581 Sep 30 02:00 libdigestmd5.so.2.0.7 -rw-r--r--1 root root12074 Sep 30 02:00 libplain.a -rwxr-xr-x1 root root 704 Sep 30 02:00 libplain.la lrwxrwxrwx1 root root 17 Sep 30 02:00 libplain.so - libplain.so.2.0.7 lrwxrwxrwx1 root root 17 Sep 30 02:00 libplain.so.2 - libplain.so.2.0.7 -rwxr-xr-x1 root root15792 Sep 30 02:00 libplain.so.2.0.7 -rw-r--r--1 root root16500 Sep 30 02:00 libsasldb.a -rwxr-xr-x1 root root 753 Sep 30 02:00 libsasldb.la lrwxrwxrwx1 root root 18 Sep 30 02:00 libsasldb.so - libsasldb.so.2.0.7 lrwxrwxrwx1 root root 18 Sep 30 02:00 libsasldb.so.2 - libsasldb.so.2.0.7 -rwxr-xr-x1 root root18649 Sep 30 02:00 libsasldb.so.2.0.7 It seems that SASL don't see SASLDB as auxprop method? Any help would be apreciated. Regards, Carlos Velasco
sasl_pwcheck_method option not working
Hi, I'm running Debian sid and installed the cyrus21-imapd packages. It seems to run fine using sasldb2. But when I change sasl_pwcheck_method to pam or saslauthd nothing happens. Cyrus still authenticates using the sasldb2 file. Saslauthd (with -a pam) is running and works (according to testsaslauthd). There are no error messages in the mail.log and auth.log files. Even when I put the line sasl_pwcheck_method: noway in the imapd.conf file. And cyrus still works using sasldb2 then. Please help me to get this working. Hendrik
Is sasl_pwcheck_method: PAM broken on Solaris
Hi, I've gone over and over my configuration, of which there's not much to configure, and I'm completely baffled. I'm running (or trying to) sasl 1.5.24, cyrus imap 2.0.12 on a Solaris 2.7 system. This is what I've configured: imap was buit with: --with-auth=unix SASL was built with: --with-pam=/usr/lib/security /etc/imapd.conf: sasl_pwcheck_method: PAM /etc/pam.conf imapauth required /usr/lib/security/pam_unix.so.1 debug In pam.conf, wondering if I needed the account management function as well, I also added and then later removed (since it made no difference) the following: imapaccount required/usr/lib/security/pam_unix.so.1 debug Am I missing something obvious, or is it simply broken on Solaris? Thanks, Rob _ _ _ _ __ _ _ _ _ /\_\_\_\_\/\_\ /\_\_\_\_\_\ /\/_/_/_/_/ /\/_/ \/_/_/_/_/_/ QUIDQUID LATINE DICTUM SIT, /\/_/__\/_/ __/\/_//\/_/ PROFUNDUM VIDITUR /\/_/_/_/_/ /\_\ /\/_//\/_/ /\/_/ \/_/ /\/_/_/\/_//\/_/ (Whatever is said in Latin \/_/ \/_/ \/_/_/_/_/ \/_/ appears profound) Rob Tanner Manager of Systems and Communications Linfield College, McMinnville OR (503) 434-2558 [EMAIL PROTECTED]