On Tue, 2004-05-18 at 14:23, Timo Sirainen wrote:
Personally I have never liked Cyrus SASL. It's always been annoyingly difficult to configure to work like I wanted.
I don't have experience with it, so ... :)
The code there to support it isn't actually working right now, but I guess it wouldn't be too difficult to fix it.
I might try this.
That doesn't look very good code .. Looks like if it was possible for user to set wanted seed there would be several buffer overflows. But I guess normally it's not?
I'm not sure I understand you. opiepasswd allows you to set the seed when changing your otp settings. I guess I'll need to look at the code, though I'm not really a C wizard nor very knowledgeable about insecure C code. Can you explain further what possible problems you see?
The reason why I implemented my own authentication instead of just using Cyrus SASL was that I wanted to be sure there were not going to be any serious security holes. I could have just audited the code, make sure the found security holes were fixed (actually did both once), and then just use it. But that doesn't give any guarantees about it's future versions, I'd have to constantly keep auditing the new versions to make sure they hadn't added more bugs.
Makes sense.
Anyway, it's OTP code didn't look bad. That would be the easiest way to get it working.
Right. Cyrus SASL can (optionally) use opie as well.
johannes