mu_authenticate?

Thanks for pushing the earlier fixes, things appears to work better now.

I'm able to successfully login using CRAM-MD5, DIGEST-MD5 and
SCRAM-SHA-1.  However I cannot login using LOGIN/PLAIN.  The reason is
that the former mechanisms use the GSASL_AUTHID/PASSWORDS callbacks to
get the username/password and makes the authentication decision inside
GNU SASL, but the latter two mechanisms use the GSASL_VALIDATE_SIMPLE
callback to make the authentication decision in Mailutils.  Mailutil's
GSASL_VALIDATE_SIMPLE callback is imap4d/auth_gsasl.c:cb_validate that
does:

  auth = mu_get_auth_by_name (*username);

  if (auth == NULL)
    return GSASL_AUTHENTICATION_ERROR;

  rc = mu_authenticate (auth, pass);
  mu_auth_data_free (auth);

  return rc == 0 ? GSASL_OK : GSASL_AUTHENTICATION_ERROR;

This fails with the errors below in syslog, most likely because I have
not configured authentication modules properly.

What is the purpose of the code?  Is the intention that it MUST be run
for every user regardless of authentication method?  If so, the code
needs to be moved to the auth_gsasl function to make sure it is run for
all mechanisms (however it could not work if in the future support for
hashed passwords are added).  If not, it would make sense to make the
cb_validate function look for passwords in the cram-passwd file and SQL
database too before using mu_authenticate.

I see the same problem in imap4d/auth_gss.c: there are no calls to
mu_authenticate in that file.

I suspect (hope) that mu_authenticate need not be called for all users
unconditionally, and in that case, the patch below makes LOGIN/PLAIN
work for passwords stored in cram-passwd and SQL format.

Btw, the name of cram-passwd is a bit wrong now that it is also used for
non-CRAM mechanisms.  I'm not sure it is worthwhile to rename it.

Btw^2, maybe a cleaner approach is to add a function mu_gsasl_getpass,
similar to mu_sql_getpass and use that?  I don't fully understand the
libmu_auth stuff.

/Simon

diff --git a/imap4d/auth_gsasl.c b/imap4d/auth_gsasl.c
index d04ba28..02dd710 100644
--- a/imap4d/auth_gsasl.c
+++ b/imap4d/auth_gsasl.c
@@ -237,6 +237,37 @@ cb_validate (Gsasl *ctx, Gsasl_session *sctx)
   
   *username = strdup (authid);
   
+  if (mu_gsasl_module_data.cram_md5_pwd
+      && access (mu_gsasl_module_data.cram_md5_pwd, R_OK) == 0)
+    {
+      char *key;
+      int rc = gsasl_simple_getpass (mu_gsasl_module_data.cram_md5_pwd,
+     authid, &key);
+      if (rc == GSASL_OK)
+ {
+  mu_diag_output (MU_DIAG_NOTICE, "ok");
+  rc = strcmp (pass, key) == 0 ? GSASL_OK
+    : GSASL_AUTHENTICATION_ERROR;
+  free (key);
+  return rc;
+ }
+    }
+
+#ifdef USE_SQL
+  if (mu_sql_module_config.password_type == password_plaintext)
+    {
+      char *passwd;
+      int status = mu_sql_getpass (*username, &passwd);
+      if (status == 0)
+ {
+  rc = strcmp (pass, passwd) == 0 ? GSASL_OK
+    : GSASL_AUTHENTICATION_ERROR;
+  free (passwd);
+  return rc;
+ }
+    }
+#endif
+
   auth = mu_get_auth_by_name (*username);
 
   if (auth == NULL)

Sep 25 08:46:38 mocca imap4d[12379]: Getting auth info for user user
Sep 25 08:46:38 mocca imap4d[12379]: Trying generic...result: 38=Function not implemented
Sep 25 08:46:38 mocca imap4d[12379]: Trying system...result: 0=Success
Sep 25 08:46:38 mocca imap4d[12379]: source=system, name=user, passwd=x, uid=1007, gid=1008, gecos=,,,, dir=/home/user, shell=/bin/bash, mailbox=/var/mail/user, quota=0, change_uid=1
Sep 25 08:46:38 mocca imap4d[12379]: mu_authenticate, user user, source system
Sep 25 08:46:38 mocca imap4d[12379]: Trying generic...result: 4129=Authentication failed
Sep 25 08:46:38 mocca imap4d[12379]: Trying system...result: 4129=Authentication failed
Sep 25 08:46:38 mocca imap4d[12379]: Getting auth info for user user
Sep 25 08:46:38 mocca imap4d[12379]: Trying generic...result: 38=Function not implemented
Sep 25 08:46:38 mocca imap4d[12379]: Trying system...result: 0=Success
Sep 25 08:46:38 mocca imap4d[12379]: source=system, name=user, passwd=x, uid=1007, gid=1008, gecos=,,,, dir=/home/user, shell=/bin/bash, mailbox=/var/mail/user, quota=0, change_uid=1
Sep 25 08:46:38 mocca imap4d[12379]: mu_authenticate, user user, source system
Sep 25 08:46:38 mocca imap4d[12379]: Trying generic...result: 4129=Authentication failed
Sep 25 08:46:38 mocca imap4d[12379]: Trying system...result: 4129=Authentication failed
Sep 25 08:46:40 mocca imap4d[12379]: Trying pam...result: 4129=Authentication failed
Sep 25 08:46:40 mocca imap4d[12379]: Trying sql...result: 38=Function not implemented
Sep 25 08:46:40 mocca imap4d[12379]: Trying virtdomain...result: 38=Function not implemented
Sep 25 08:46:40 mocca imap4d[12379]: Trying radius...result: 38=Function not implemented
Sep 25 08:46:40 mocca imap4d[12379]: Trying ldap...result: 4129=Authentication failed
Sep 25 08:46:40 mocca imap4d[12379]: GSASL error: Error authenticating user
Sep 25 08:46:40 mocca imap4d[12379]: Trying pam...result: 4129=Authentication failed
Sep 25 08:46:40 mocca imap4d[12379]: Trying sql...result: 38=Function not implemented
Sep 25 08:46:40 mocca imap4d[12379]: Trying virtdomain...result: 38=Function not implemented
Sep 25 08:46:40 mocca imap4d[12379]: Trying radius...result: 38=Function not implemented
Sep 25 08:46:40 mocca imap4d[12379]: Trying ldap...result: 4129=Authentication failed
Sep 25 08:46:40 mocca imap4d[12379]: GSASL error: Error authenticating user



_______________________________________________
Bug-mailutils mailing list
Bug-mailutils@...
http://lists.gnu.org/mailman/listinfo/bug-mailutils

Simon Josefsson <simon@...> ha escrit:

> SCRAM-SHA-1.  However I cannot login using LOGIN/PLAIN.

Probably, you have not configured the `gsasl' statement in your
configuration file. See its short description in `imap4d --config-help'
output.

> GSASL_VALIDATE_SIMPLE callback is imap4d/auth_gsasl.c:cb_validate that
> does:
[...]
> What is the purpose of the code?  Is the intention that it MUST be run
> for every user regardless of authentication method?

No, of course not. It must be run only in the validation callback.
Its purpose is as follows:

>   auth = mu_get_auth_by_name (*username);

This returns a pointer to a structure containing the information about
this account, or NULL if no such account exists. This function is a MU
counterpart of getpwnam(3). The difference is that it looks the user
up in the MU authorization database, as set by the `auth' statement
(http://www.gnu.org/software/mailutils/manual/html_node/Auth-Statement.html),
and that the resulting structure contains some more information about
the account.

>   if (auth == NULL)
>     return GSASL_AUTHENTICATION_ERROR;

If there are no such user, report error.

>   rc = mu_authenticate (auth, pass);

The mu_authenticate function verifies if password (pass) matches that
stored in the `auth' structure. The authentication mechanism is
configured by the `auth' configuration statement.

>   mu_auth_data_free (auth);

The `auth' structure is freed.

>   return rc == 0 ? GSASL_OK : GSASL_AUTHENTICATION_ERROR;

The return from mu_authenticate determines that of the callback
function.

> Btw, the name of cram-passwd is a bit wrong now that it is also used for
> non-CRAM mechanisms.  I'm not sure it is worthwhile to rename it.

It is definititely worth it. Thanks for pointing that out.

> Btw^2, maybe a cleaner approach is to add a function mu_gsasl_getpass,
> similar to mu_sql_getpass and use that?

Yes, perhaps. I am now thinking about clearer ways to organize the
auth stuff. I'll probably use this idea too.

> I suspect (hope) that mu_authenticate need not be called for all users
> unconditionally, and in that case, the patch below makes LOGIN/PLAIN
> work for passwords stored in cram-passwd and SQL format.

I'll try this. Thank you.

Regards,
Sergey


_______________________________________________
Bug-mailutils mailing list
Bug-mailutils@...
http://lists.gnu.org/mailman/listinfo/bug-mailutils