Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. exim>
  3. users
Testing the GSASL authenticator with SCRAM-*-PLUS
exim-users at lists
Nov 15, 2023, 12:32 PM
Post #1 of 4 (100 views)
Permalink
Hello,

I am trying to set up a very simple test case for the GSASL
authenticator, in order to test msmtp against different authentication
mechanisms, in particular the SCRAM-*-PLUS methods.

For that purpose, I only want to define a single test user, if possible
without complex data base lookups or things like that, but I could not
find a complete working GSASL authenticator example to start from.

In particular, I have trouble understanding the purpose and usage of the
'server_password' option with GSASL. How do I use this to authenticate a
single test user?

Right now, I have the following:

sasl:



driver = gsasl
public_name = SCRAM-SHA-1-PLUS
server_channelbinding = true
server_set_id = $auth1
server_condition = ${if eq{$auth1}{testuser}}
server_password = abc

The last two lines are obviously nonsense; any password will be accepted
as long as the username is 'testuser'. What should I use instead?

Best,
Martin

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Testing the GSASL authenticator with SCRAM-*-PLUS [ In reply to ]
exim-users at lists
Nov 16, 2023, 2:41 AM
Post #2 of 4 (100 views)
Permalink
On 15/11/2023 20:32, Martin Lambers via Exim-users wrote:
> In particular, I have trouble understanding the purpose and usage of the 'server_password' option with GSASL. How do I use this to authenticate a single test user?

server_password is the password that the server is expecting for the account,
in clear. Some auth methods (including the SCRAM family) deliberately do not
pass the password over the wire, but only a proof of having it. This
requires that the server end know what it is, so we need
this option so that Exim can tell the auth library. Effectively,
the server_condition option then becomes useless (for these auth
methods) so you may as well set a static "true" value for that
(*only* for these auth methods).

The value for server_password for your simple testcase
can be just the static password. For production use you'd likely
have a DB lookup using $auth1 (authentication id - ie. usename)
as key.
--
Cheers,
Jeremy


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Testing the GSASL authenticator with SCRAM-*-PLUS [ In reply to ]
exim-users at lists
Nov 19, 2023, 8:39 AM
Post #3 of 4 (95 views)
Permalink
Thank you very much for your help, I now have a working test setup :)

On 16/11/2023 11:41, Jeremy Harris via Exim-users wrote:
> On 15/11/2023 20:32, Martin Lambers via Exim-users wrote:
>> In particular, I have trouble understanding the purpose and usage of
>> the 'server_password' option with GSASL. How do I use this to
>> authenticate a single test user?
>
> server_password is the password that the server is expecting for the
> account,
> in clear.  Some auth methods (including the SCRAM family) deliberately
> do not
> pass the password over the wire, but only a proof of having it. This
> requires that the server end know what it is, so we need
> this option so that Exim can tell the auth library.

For archive completeness I'd like to mention that for SCRAM, the server
does not need to know the password itself, but just a salted and hashed
version of it, which can be set with server_skey instead of
server_password. For my simple test setup, I did not use this.

Best,
Martin

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Testing the GSASL authenticator with SCRAM-*-PLUS [ In reply to ]
exim-users at lists
Nov 20, 2023, 5:02 AM
Post #4 of 4 (90 views)
Permalink
On 2023-11-19, Martin Lambers via Exim-users <exim-users@lists.exim.org> wrote:

> For archive completeness I'd like to mention that for SCRAM, the server
> does not need to know the password itself, but just a salted and hashed
> version of it, which can be set with server_skey instead of
> server_password. For my simple test setup, I did not use this.

However the salted password is also all that a client needs to authenticate
to the server So the same care is needed to keep the storage secure as
if it was storing the password..

--
Jasen.
???????? ????? ???????

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal