Proxying of non "plain" SASL mechnisms.

Timo Sirainen tss at iki.fi
Tue Mar 17 23:47:31 UTC 2015


On 25 Feb 2015, at 20:59, Peter Mogensen <apm at one.com> wrote:

> So, why not just extend the support for proxy authentication forwarding
> to any single-handskake SASL-IR mechanism, which doesn't use
> channel-binding? (which includes PLAIN, but also GS2-KRB5, and possibly
> others).

Yeah, I guess it would work for several of the auth mechanisms. It's a lot of work though and requires some larger changes to how authentication works. I don't currently see it being worth the effort, but I wouldn't mind if somebody else implements it. I guess the parts would be:

 - Some flag to auth mechanisms that allow proxying based on their initial SASL response.
 - A new auth setting to enable auth proxying for mechanisms that support it.
 - If auth proxying is enabled, perform passdb lookup on non-plaintext auth on the initial SASL response. Return "finished" to the auth client with some "mech-proxy=y" extra field, so it knows to start proxying the SASL session to the destination server.
 - Implementation of the above for all the mechanisms that support it..
 - login-common to support sending the same initial response to the target server and proxying the rest of the authentication. (Possibly somehow integrate this with Dovecot's lib-sasl, but not sure if this is needed/useful.)



More information about the dovecot mailing list