From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from tb-mx1.topicbox.com (localhost.local [127.0.0.1]) by tb-mx1.topicbox.com (Postfix) with ESMTP id B96B1141882B for <9fans@9fans.net>; Mon, 27 Jan 2020 14:52:57 -0500 (EST) (envelope-from ori@eigenstate.org) Received: from tb-mx1.topicbox.com (localhost [127.0.0.1]) by tb-mx1.topicbox.com (Authentication Milter) with ESMTP id B92CE8D5978; Mon, 27 Jan 2020 14:52:57 -0500 ARC-Seal: i=1; a=rsa-sha256; cv=none; d=topicbox.com; s=arcseal; t= 1580154777; b=dhyu+3//AbwMA0SaKr0vhDoL3oWXCoe4W2YI2sPOu/zDQLGo9j D6Xe59Br57Hn8iadN5SDmaU/3MJ01Mdm6I94RDcHifyXSW+5dI9pTko6LSD0x8J5 AgryQWi37K0gzON61KWDRoP8l6/zFEACOlHlTQsBIevJcJ4HRtIBcELdpE2eLMYC aPPZmc/8naR4djiwah4HTUf7qozbgIUR4Yw2fk8hD4Sx/7TYfNwzhsshHfmVPSVh mFlVEnK68MV/ShODaEW98qBhfdG4ox3DIXWAIwXxvjgxum+dwaCS6pUq+VUaTBl9 mM2dvwnUmiX+ABpv89aM3fOSkiIsVVaeAYOQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d= topicbox.com; h=date:from:to:cc:subject:message-id:in-reply-to :references:mime-version:content-type:content-transfer-encoding; s=arcseal; t=1580154777; bh=FtkqET/ia+QBoqL3Y8aAL1oAXPkJi8uPUP3 O7V7o5aI=; b=W52hJMMVKGbPfuR7eztTIF1fECSwCpogf8yBn03AXR0upvRUur5 dmFKX8jKmcKcEjTHEP7gE3EBLzfTx/kJNGwbz425eToaaOtydAyDONmIJeywM8fL sV67n9/7YLCrAyMngAxrNhLLguLKXhagklzQClUCmct7iAGuxc98GCqiYSdO8TPW Ins+vq6k+lwvsQUJ1aKxaTSnfuCPzDr7gac+yxndCLPJgn364yqrHIeOOD4OXnK2 FY61hvXzQWuXI5MAzcBz7DVGYHmWmTgOsUwu838AjOsAoL+WCjcR2x1PzYE6liv9 lYyhaeUgrvzZTxuIehs9w7pz2jaTf/SkrXQ== ARC-Authentication-Results: i=1; tb-mx1.topicbox.com; arc=none (no signatures found); dkim=none (no signatures found); dmarc=pass policy.published-domain-policy=none policy.applied-disposition=none policy.evaluated-disposition=none (p=none,d=none,d.eval=none) policy.policy-from=p header.from=eigenstate.org; iprev=pass smtp.remote-ip=206.124.132.107 (mimir.eigenstate.org); spf=pass smtp.mailfrom=ori@eigenstate.org smtp.helo=mimir.eigenstate.org; x-aligned-from=pass (Address match); x-ptr=pass smtp.helo=mimir.eigenstate.org policy.ptr=mimir.eigenstate.org; x-return-mx=pass header.domain=eigenstate.org policy.is_org=yes (MX Record found); x-return-mx=pass smtp.domain=eigenstate.org policy.is_org=yes (MX Record found); x-tls=pass smtp.version=TLSv1.2 smtp.cipher=ECDHE-RSA-AES256-GCM-SHA384 smtp.bits=256/256; x-vs=clean score=-100 state=0 Authentication-Results: tb-mx1.topicbox.com; arc=none (no signatures found); dkim=none (no signatures found); dmarc=pass policy.published-domain-policy=none policy.applied-disposition=none policy.evaluated-disposition=none (p=none,d=none,d.eval=none) policy.policy-from=p header.from=eigenstate.org; iprev=pass smtp.remote-ip=206.124.132.107 (mimir.eigenstate.org); spf=pass smtp.mailfrom=ori@eigenstate.org smtp.helo=mimir.eigenstate.org; x-aligned-from=pass (Address match); x-ptr=pass smtp.helo=mimir.eigenstate.org policy.ptr=mimir.eigenstate.org; x-return-mx=pass header.domain=eigenstate.org policy.is_org=yes (MX Record found); x-return-mx=pass smtp.domain=eigenstate.org policy.is_org=yes (MX Record found); x-tls=pass smtp.version=TLSv1.2 smtp.cipher=ECDHE-RSA-AES256-GCM-SHA384 smtp.bits=256/256; x-vs=clean score=-100 state=0 X-ME-VSCause: gggruggvucftvghtrhhoucdtuddrgedugedrfedvgdduvdekucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggvpdfu rfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnh htshculddquddttddmnecujfgurhepfffhvffukfgjfhfogggtgfesthejredtjfdtvden ucfhrhhomhepqfhrihcuuegvrhhnshhtvghinhcuoehorhhisegvihhgvghnshhtrghtvg drohhrgheqnecukfhppedvtdeirdduvdegrddufedvrddutdejpddukeehrddvfedtrddv vddvrddvnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehinhgvthepvddtie druddvgedrudefvddruddtjedphhgvlhhopehmihhmihhrrdgvihhgvghnshhtrghtvgdr ohhrghdpmhgrihhlfhhrohhmpeeoohhrihesvghighgvnhhsthgrthgvrdhorhhgqe X-ME-VSCategory: clean Received-SPF: pass (eigenstate.org: 206.124.132.107 is authorized to use 'ori@eigenstate.org' in 'mfrom' identity (mechanism 'mx' matched)) receiver=tb-mx1.topicbox.com; identity=mailfrom; envelope-from="ori@eigenstate.org"; helo=mimir.eigenstate.org; client-ip=206.124.132.107 Received: from mimir.eigenstate.org (mimir.eigenstate.org [206.124.132.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by tb-mx1.topicbox.com (Postfix) with ESMTPS for <9fans@9fans.net>; Mon, 27 Jan 2020 14:52:56 -0500 (EST) (envelope-from ori@eigenstate.org) Received: from gooseberry.eigenstate.org (gateway.bk.recurse-network.net [185.230.222.2]) by mimir.eigenstate.org (OpenSMTPD) with ESMTPSA id dd865194 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO); Mon, 27 Jan 2020 11:52:54 -0800 (PST) Date: Mon, 27 Jan 2020 11:52:53 -0800 From: Ori Bernstein To: 9fans <9fans@9fans.net> Cc: Lyndon Nerenberg Subject: Re: [9fans] factotum vs. SASL+TLS+applications Message-Id: <20200127115253.419e4d1fc22158f116f3342c@eigenstate.org> In-Reply-To: References: X-Mailer: Sylpheed 3.7.0 (GTK+ 2.24.32; x86_64-unknown-openbsd6.6) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Topicbox-Policy-Reasoning: allow: sender is a member Topicbox-Message-UUID: a0c80080-413e-11ea-970d-b07c196ee013 > The following is all hypothetical. I'm curious about how people > think auth(2)/factotum(4) could be adapted to support the use > case ... > > factotum was intended to handle the authentication dance on behalf > of network apps. But in the case of things like IMAP, it really > just stores the client's login/password, and provides a bit of > helper glue for CRAM-MD5. Similarly for ftpfs. > > I'm curious why upasfs and ftpfs are outliers in only using factotum > as a credential store, but leaving the actual authentication protocol > dance in the clients/servers. The "Security" paper (/sys/doc/auth) > strongly hints that these parts of the application protocols were > meant to be outsourced to factotum. Section 2.2 in particular > argues that the auth modules should be implemented once in factotum, > for consumption by the rest of the system. Probably simple expediency. > > > To require a specific SASL mechanism, add "sasl=scram-md5" (using > "sasl=*" as a default if you need to fall back for some reason). This all sounds fairly reasonable. I think that patches to this effect would be worth integrating. > Of course all of this needs to be glued into auth(2) in a way that > doesn't destroy the existing API. But it does need to handle > factotum replacing the underlying connection to the client/server > with one that has been pushtls()ed by factotum itself. I'm not sure how factotum can have this action at a distance. I think the pushtls is stuck in the client itself -- though, the auth code can probably return the parameters needed for this.