curl / Mailing Lists / curl-library / Single Mail

curl-library

Re: SASL LOGIN mechanism

From: Patrick Monnerat <patrick_at_monnerat.net>
Date: Thu, 15 Feb 2018 01:21:39 +0100

On 02/14/2018 09:04 PM, Ray Satiro wrote:
>
>> Obviously the server does not require the password because the client
>> certificate authentication takes precedence; the AUTH command is
>> however needed before being able to use other commands. This looks
>> like a deviance from the description
>> (https://tools.ietf.org/html/draft-murchison-sasl-login-00), that has
>> been written "a posteriori" (probably by reverse engineering) and has
>> not become a standard. This document does not describe the case when
>> the password is not needed.
> Interesting. If it's EXTERNAL then aren't you already logged in?
No, you're not. Servers that allow EXTERNAL should receive an explicit
AUTH EXTERNAL command to be logged in.
This server does not support EXTERNAL, but behaves as such with other
authentication methods (this is quite clever since many clients do not
support EXTERNAL).
> Where is LOGIN prioritized over PLAIN and is there any effect of that
> on this issue?

Priority is determined by the order of "else if" blocks starting at
https://github.com/curl/curl/blob/43a50a2580db2bfb28483a96964ae27b584472da/lib/curl_sasl.c#L292.
The only effect would be PLAIN will be chosen by curl instead of LOGIN
if both are supported by the server. This does not impact the "no LOGIN
password" problem, but will avoid using LOGIN if PLAIN is available.
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2018-02-15