Last Update 2000-06-24
Since some of the mechanisms used in
SMTP AUTH
don't support realms,
Cyrus SASL uses a hack (starting with 1.5.10) for those:
it appends
@HOST.DOMAIN
to the
authid
before looking it up in
sasldb.
This is at least used for
CRAM-MD5 and for
PLAIN if
pwcheck_method: sasldb
has been chosen in
Sendmail.conf
For the authentication mechanisms
PLAIN and LOGIN
the password check method
(pwcheck_method)
in the
Sendmail.conf configuration file
can be
-
sasldb
-
The user is looked up in
sasldb
with the realm.
-
passwd
-
The user is looked up via
getpwnam()
-
shadow
-
The user is looked up via
getspnam()
-
PAM
-
The user is looked up via
PAM
-
kerberos_v4
-
The user is looked up via
KERBEROS V4
-
pwcheck
-
The user/passwd combination is checked via a seperate daemon.
As it can see from the list of possible
pwcheck_methods,
some of them support realms for PLAIN/LOGIN
while others don't.
This requires either
a patch for lib/checkpw.c (applies to 1.5.15, at least integrated since 1.5.20)
or the client to add
@HOST.DOMAIN
to the
authid.
CRAM-MD5 does not really support realms, either.
A patch for plugins/cram.c (applies to 1.5.17, at least integrated since 1.5.20)
can solve this problem
if the client doesn't add
@HOST.DOMAIN
to the
authid.
The following lists some example SMTP AUTH dialogues.
These can be logged if the -X logfile
option for
the sendmail server is used
or a sendmail client is called with -v
.
The
DefaultAuthInfo
files contains:
test
test
tEst42
wiz.example.com
So
sasldb
contains the string:
test\0wiz.example.com\0...
250-AUTH LOGIN PLAIN CRAM-MD5 DIGEST-MD5
250 HELP
>>> AUTH DIGEST-MD5
334 bm9uY2U9IkFKUlVjNUp4MFVRYnY1U0o5Rm95VW5hWnBxWklIRGhMVFUrQXduL0swVXc9Iixxb3A9ImF1dGgsYXV0aC1pbnQsYXV0aC1jb25mIixjaXBoZXI9InJjNC00MCxyYzQtNTYscmM0LGRlcywzZGVzIixjaGFyc2V0PXV0Zi04LGFsZ29yaXRobT1tZDUtc2Vzcw==
>>> dXNlcm5hbWU9InRlc3QiLHJlYWxtPSJ3aXouZXhhbXBsZS5jb20iLG5vbmNlPSJBSlJVYzVKeDBVUWJ2NVNKOUZveVVuYVpwcVpJSERoTFRVK0F3bi9LMFV3PSIsY25vbmNlPSJBSlJVYzVKeDBVUWJ2NVNKOUZveVVuYVpwcVpJSERoTFRVK0F3bi9LMFV3PSIsbmM9MDAwMDAwMDEscW9wPWF1dGgtY29uZixjaXBoZXI9InJjNCIsY2hhcnNldD11dGYtOCxkaWdlc3QtdXJpPSJzbXRwL2xvY2FsaG9zdC5zZW5kbWFpbC5jb20uIixyZXNwb25zZT0wZTdjZmNhZTcxN2VlYWM5NzJmYzlkNTYwNmExMDgzZA==
334 cnNwYXV0aD03NDM5ODBjODQ0MmRiYjcxNmQ0ZWE5ZTQ5OTNiMDFkMA==
>>>
235 2.0.0 OK Authenticated
Decoded:
nonce="AJRUc5Jx0UQbv5SJ9FoyUnaZpqZIHDhLTU+Awn/K0Uw=",qop="auth,auth-int,auth-conf",cipher="rc4-40,rc4-56,rc4,des,3des",charset=utf-8,algorithm=md5-sess
username="test",realm="wiz.example.com",nonce="AJRUc5Jx0UQbv5SJ9FoyUnaZpqZIHDhLTU+Awn/K0Uw=",cnonce="AJRUc5Jx0UQbv5SJ9FoyUnaZpqZIHDhLTU+Awn/K0Uw=",nc=00000001,qop=auth-conf,cipher="rc4",charset=utf-8,digest-uri="smtp/localhost.sendmail.com.",response=0e7cfcae717eeac972fc9d5606a1083d
rspauth=743980c8442dbb716d4ea9e4993b01d0
According to
RFC 2595
the client must send:
[authorize-id] \0
authenticate-id \0 password.
pwcheck_method
has been set to
sasldb
for the following example.
>>> AUTH PLAIN dGVzdAB0ZXN0QHdpei5leGFtcGxlLmNvbQB0RXN0NDI=
235 2.0.0 OK Authenticated
Decoded:
test\000test@wiz.example.com\000tEst42
With
patch for lib/checkpw.c
or a
pwcheck_method
that doesn't support realms:
>>> AUTH PLAIN dGVzdAB0ZXN0AHRFc3Q0Mg==
Decoded:
test\000test\000tEst42
pwcheck_method
has been set to
sasldb
for the following example.
>>> AUTH LOGIN
334 VXNlcm5hbWU6
>>> dGVzdEB3aXouZXhhbXBsZS5jb20=
334 UGFzc3dvcmQ6
>>> dEVzdDQy
235 2.0.0 OK Authenticated
Decoded:
test@wiz.example.com
tEst42
With
patch for lib/checkpw.c
or a
pwcheck_method
that doesn't support realms:
>>> AUTH LOGIN
334 VXNlcm5hbWU6
>>> dGVzdA==
334 UGFzc3dvcmQ6
>>> dEVzdDQy
235 2.0.0 OK Authenticated
Decoded:
test
tEst42
[(links)]
[Hints]
[Avoiding UBE]
[cf/README]
[New]
Copyright ©
Claus Aßmann
Please send comments to:
<ca at sendmail.org>
Disclaimer: the information provided may be inaccurate or outdated
or incomplete.
Please
contact me
if you find an error.