Re: [exim] Plain Authentication Failures

Inizio della pagina
Delete this message
Reply to this message
Autore: Brian Spraker
Data:  
To: John Jetmore
CC: exim-users@exim.org
Oggetto: Re: [exim] Plain Authentication Failures





________________________________
From: John Jetmore <jj33@???>
To: Brian Spraker <spraker@???>
Cc: "exim-users@???" <exim-users@???>
Sent: Tuesday, September 27, 2011 8:02 PM
Subject: Re: [exim] Plain Authentication Failures

On Tue, Sep 27, 2011 at 6:29 PM, Brian Spraker <spraker@???> wrote:
> Hello all,
>
> Been struggling with a problem here.  I am getting "535 incorrect authentication data" errors when folks attempt to use plain authentication.
>
> The odd thing is - I have users using Outlook and none of them appear to have the problems.


Outlook is likely using LOGIN while the others are using PLAIN.  Just
guessing, but see below

> Here is my authenticators config:
>
> begin authenticators
>
> plain:
>     driver = plaintext
>     public_name = PLAIN
>     server_prompts = :
>     server_set_id = $auth2
>     server_condition = ${lookup mysql{SELECT user_uid FROM horde_users WHERE user_uid ='${quote_mysql:$1}' AND user_pass ='${quote_mysql:$2}'}{1}fail}
>     server_advertise_condition = true
>
> login:
>     driver = plaintext
>     public_name = LOGIN
>     server_prompts = "Username:: : Password::"
>     server_condition = ${lookup mysql{SELECT user_uid FROM horde_users WHERE user_uid="$1" AND user_pass="$2"}{1}fail}
>     server_set_id = $1
>     server_advertise_condition = false


PLAIN and LOGIN both use the same plaintext driver, but the vars are
different.  In LOGIN the login creds are in $1 and $2 (although $auth1
and $auth2 are preferred now).  In PLAIN, the creds are in $2 and $3
($auth2 and $auth3).

So, your LOGIN authenticator is correctly using $1 and $2.  Your PLAIN
authenticator is incorrectly using $1 and $2.  Try, in PLAIN, changing
the user_uid condition to $2 ($auth2) and the user_pass condition to
$3 ($auth3).

> Here is the error in the log:
>
> 2011-09-27 17:10:19 plain authenticator failed for android_5efb516d7ad14990.domain.com (localhost) [192.168.254.33]: 535 Incorrect authentication data (set_id=user@???)


Note that the error correctly references the user credential as
user@???, which you set to $auth2 in the PLAIN authenticator,
but in your query you're using $1.

Also, I don't have a ton of mysql/exim experience, but it sure looks
like your LOGIN authenticator is a potential attack vector.  You
should look into wrapping the user inputs ($1 and $2) in ${quote_mysql
like PLAIN.

---------------------------------


Thank you for the help John.  You hit the nail on the head and that completely took care of the problem.  I had read something online about using $1 and then choosing $2 or $3 as the password, but that didn't work either.

I had a friend of mine assist with troubleshooting.  The "server_advertise_condition" for "login:" was changed to false - and he could no longer authenticate via Outlook.  So as you pointed out, Outlook uses the "login:" method.

After changing the $1 to a $2 and the $2 to a $3 in the "plain:" mechanism, the Android device worked perfect.

As for the SQL injections - I was in the process of updating the "login:" authentication just before I sent this to the board so that is why the "plain:" has that fixed and the "login:" didn't - but it is all done now.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/