imap: Provide method to disable SASL if it is advertised #10041
Conversation
kop316
force-pushed
the
wip/sasl
branch
2 times, most recently
from
e5976e9 to
089f431
Compare
|
I'm totally fine with doing it this way. Two things:
|
Sounds good!
That is fine! EDIT: I added the documentation in another commit, but I can squash it too if that is desirable. I assume I should add something like
In https://www.rfc-editor.org/rfc/rfc3501.html : I read that to mean that since |
|
Hello! I just wanted to follow up with this. I believe I have the documentation added (though that's pending review). Should I also change |
|
Hello and happy new year! I just wanted to follow up on this again. I was waiting for feedback on the comments here: #10041 (comment) to do any changes, and I wanted to check in to see what your thoughts were. |
|
@kop316 thanks for this patch, since I believe it'll fix some authentication problems with some poorly-implemented cell carrier servers we have to deal with in postmarketOS / mobile linux distros... I'm a little hesitant to pick this patch and ship it, since anything around authentication is automatically "scary" for me due to my lack of understanding around these things... so I'm waiting until this is accepted/merged before doing so. @bagder I know you probably have other priorities than this one, but any help for @kop316 to get this in an acceptable state would be greatly appreciated! |
kop316
force-pushed
the
wip/sasl
branch
2 times, most recently
from
03c9815 to
8a9cda3
Compare
Hello, Based on this, I added documentation and revert it to EDIT: I am not sure why 126 is failing for FreeBSD 13.2, since that is for FTP and I didn't do anything with it? I am thinking it could be a transient issue but I am not sure how to start another run for it without triggering all of them. |
|
I just want to chime in and add my support for this or this other PR for fixing out-of-the-box voicemail issues on mobile linux. |
|
The other PR is held up by a security concern and my lack of SASL knowledge. If AUTH NONE is used I would think then there is no authentication? I don't see 'none' in the rfcs |
|
I really prefer this way of resolving the problem rather than the fallback of #10027: the later causes a very fast double authentication attempt that may appear to the server as an attack and finally locks the user and/or ip. The problem is real: there is no way to select a non-SASL login method if some SASL are advertised by the server. It exists since introduction of SASL in curl and probably also affects POP3, SMTP and LDAP. The ideal solution would be to consider ALL authentication methods (SASL + protocol login + APOP, etc) without discrimination and allow giving them in the In the meantime I would prefer something like Please note that POP3 URL requires a non-SASL mechanism name to begin with a ' |
|
This PR will solve the underlying issue I am facing, so i am fine with this instead of the other one. Reading though #10041 (comment) , if I change
But
Implied that Please let me know which one you would prefer and I will change as appropriate. Thank you! |
I'm in favor of |
I personally do not have a strong opinion, as they would all work for me equally as well. I went ahead and changed |
|
@monnerat does this look correct to you now, if SASL_AUTH_NONE is set to use IMAP_TYPE_CLEARTEXT; because SASL_AUTH_NONE is used when prefs are reset so should it be defaulting to cleartext in that case? |
It looks like, yes.
This is the center of the initial problem and I'm not the father of this code. Probably some more testing should be done on it, but as stated earlier, I don't have time for it right now. However I'm quite confident but I won't take this responsibility. |
Sorry, just so I am clear, are you saying more testing needs to be done on the MR, or more testing needs to be done on the initial problem to completely fix it? I just want to make sure you are not needing anything else from me. |
I'm just saying the PR looks good, but as this part of libcurl code is not very clear, I cannot predict possible border effects :-) |
|
Ahh, fair enough! I could never get the code to reach the line here: https://github.com/curl/curl/pull/10041/files#diff-9dd142f0e3406c05d5878d67ca2460c070b4e8f684abd673e6e38f58493cb008L1953 . That is why I manually changed it how I did. However if there is a desire to change it, please let me know and I will. EDIT: One thing that could be done too is adding something like Would this option be more desirable? |
|
@jay @monnerat Hello! I just wanted to follow up with this. It sounded like the PR is good, but I also coded up this method to do the same thing: master...kop316:curl:wip/sasl2 and it passes CI as well in case there was a worry about side effects. |
|
I'm not OK with the other:
These are supposed to be a mechanisn bits mask and not a specific token value. |
That's fair, thanks for explaining! It sounds like I will stick to the original PR then. |
|
Can we consider limiting this fallback to IMAPS connections only? My concern is apps enabling this under the hood and leaking passwords in cleartext over the network. |
I think that might be clever. Just a caution around that: I imagine that the larger use of TLS for IMAP is done with STARTTLS, so they are actually using an |
That's what PR #8295 is intended to prevent, in a more global scope as SASL may also transmit clear passwords. |
|
|
|
So I am clear, is the PR good as is, or is there work that is desired? |
|
IMO this adds a high risk for leaking email account passwords. Considering that email account passwords are one the most valuable ones (or worst ones to have leaked), I think we should make it dependent of having active TLS on the connection. Even if behind a flag, it will be enabled invisibly by apps building on curl and pose a risk to end-users. This seems like a too high price to pay to fix compatibility with buggy servers. |
Yes and no !
IMO, disabling cleartext password and using SASL mechanism or not should not be bound. The above mentioned PR treats this (disjoint) problem globally, It is currently awaiting your vote and/or comment. Maybe it should be implemented the other way round (i.e.: disabling cleartext password by default) at the cost of backwards incompatibility but the topic comes periodically in PR comments and mailing list, so something equivalent should be implemented to definitively close this chapter. I really don't understand why #8295 has not yet been adopted (or requested for changes) with regards to all these recurrent password security gripes. |
|
I disagree, no more work is needed. This PR adds an option to specifically use plaintext LOGIN instead of server specified SASL. If the user sets it as a login option then that is what we give them. |
|
Related news from a few days ago: https://mailbox.org/en/post/mailbox-org-discovers-unencrypted-password-transmission-in-mymail (on HN: https://news.ycombinator.com/item?id=35845308) In this case it was the lack of TLS + one of the variations of cleartext password. Adding more ways to achieve this doesn't help. |
|
Hello, Given that we are in the feature window for the next curl release, I wanted to check back in to see if there is anything else needed from me for this. Thank you! |
- Implement AUTH=+LOGIN for CURLOPT_LOGIN_OPTIONS to prefer plaintext LOGIN over SASL auth. Prior to this change there was no method to be able to fall back to LOGIN if an IMAP server advertises SASL capabilities. However, this may be desirable for e.g. a misconfigured server. Per: https://www.ietf.org/rfc/rfc5092.html#section-3.2 ";AUTH=<enc-auth-type>" looks to be the correct way to specify what authenication method to use, regardless of SASL or not. Closes curl#10041
|
Thanks |
- Implement AUTH=+LOGIN for CURLOPT_LOGIN_OPTIONS to prefer plaintext LOGIN over SASL auth. Prior to this change there was no method to be able to fall back to LOGIN if an IMAP server advertises SASL capabilities. However, this may be desirable for e.g. a misconfigured server. Per: https://www.ietf.org/rfc/rfc5092.html#section-3.2 ";AUTH=<enc-auth-type>" looks to be the correct way to specify what authenication method to use, regardless of SASL or not. Closes curl#10041
- Implement AUTH=+LOGIN for CURLOPT_LOGIN_OPTIONS to prefer plaintext LOGIN over SASL auth. Prior to this change there was no method to be able to fall back to LOGIN if an IMAP server advertises SASL capabilities. However, this may be desirable for e.g. a misconfigured server. Per: https://www.ietf.org/rfc/rfc5092.html#section-3.2 ";AUTH=<enc-auth-type>" looks to be the correct way to specify what authenication method to use, regardless of SASL or not. Closes curl#10041
Hello!
There is no method to be able to use plain LOGIN (Plain LOGIN vs. SASL LOGIN) if an IMAP server advertises SASL capabilities. However, this may be desirable for e.g. a misconfigured server.
Per: https://www.ietf.org/rfc/rfc5092.html#section-3.2
";AUTH=" looks to be the correct way to specify what authenication method to use, regardless of SASL or not.
Since https://www.rfc-editor.org/rfc/rfc3501.html#section-6.1.1 provides no way to have no SASL mechanisms, "XNONE" looks to be the best RFC compliant way of doing it.
While this does provide a method for cleartext password being sent, a user must expliciticly call
AUTH=XNONEto excerise this.I should note I originally thought of adding this in
Curl_sasl_parse_url_auth_option()to add a more general way of disabling SASL authentication (it did not break any scripts), but I wasn't sure which would be more appropriate.