Bug#603118: provide a way to send no realm for digest-md5

Jörg Sommer joerg at alea.gnuu.de
Thu Nov 11 00:57:12 UTC 2010 

Package: libsasl2-2
Version: 2.1.23.dfsg1-6
Severity: wishlist
Tags: upstream

Hi,

can you add an option to set the SASL server doesn't send a realm to the
client. Currently, the code looks this:

digestmd5_server_mech_step1(server_context_t *stext,
…
{
…
    /* get realm */
    result = get_server_realm(sparams, &realm);
    if(result != SASL_OK) return result;
…
    /* add to challenge; if we chose not to specify a realm, we won't
     * send one to the client */
    if (realm && add_to_challenge(sparams->utils,
…

There's no way to omit the realm in the message from the server to the
client, because get_server_realm() gives no way to set realm to NULL and
signal SASL_OK.

Rationale: Since today, Outlook 2010 supports Digest‐MD5. For usernames
of the form abc at example.org it sends the domain as realm in its response.
On a host with users from multiple domains the server sees multiple
realms. But the current implementation only supports one realm and
announces this realm and fails if the user doesn't response with this
realm. “SASL authentication failure: realm changed: authentication
aborted.”

BTW: Mutt keeps the realm and send the whole username with domain as
username.

Regards, Jörg.

-- System Information:
Debian Release: unstable/experimental
  APT prefers unstable
  APT policy: (900, 'unstable'), (700, 'experimental')
Architecture: powerpc (ppc)

Kernel: Linux 2.6.37-rc1+
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libsasl2-2 depends on:
ii  libc6                         2.11.2-7   Embedded GNU C Library: Shared lib
ii  libdb4.8                      4.8.30-2   Berkeley v4.8 Database Libraries [

Versions of packages libsasl2-2 recommends:
ii  libsasl2-modules          2.1.23.dfsg1-6 Cyrus SASL - pluggable authenticat

libsasl2-2 suggests no packages.

-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature http://en.wikipedia.org/wiki/OpenPGP
URL: <http://lists.alioth.debian.org/pipermail/pkg-cyrus-sasl2-debian-devel/attachments/20101111/22d94388/attachment.pgp>

More information about the Pkg-cyrus-sasl2-debian-devel mailing list