On Thu, 12 Jun 2014, Jasen Betts wrote:
> On 2014-06-11, Shane Philip <shanep@???> wrote:
...
> It may be possible to abuse the plaintext auth driver to make fake
> authenticators that do no checks and always return success. I have
> not looked at how it functions
This definitely is the way to go. We implemented something like
this for a group of completely braindead printers/scanners which
always force sending user and password, but only can do clear text
on port 25.
So we assumed these printers will always compromise their accounts
and simply gave them an authenticator with an always true condition.
So now they use their hostname for username in the log and useless
strings for passwords and they send their scans anyway.
We simply inserted two $ifs into the normal authenticator,
which always results true, if the host ist in the list
(so you'd make this the correct subnet):
To hosts(IPs) in the list 'auto_authed_hosts'
1) we advertise auth even if unencrypted
2) we make the result always true
# -----------------------------------------------------------------------
# allow auth to be advertized to braindead scanners
server_advertise_condition = ${if or{\
{match_ip{$sender_host_address}{+auto_authed_hosts}}\
{!eq{$tls_cipher}{}}\
}{1}{0}}
server_prompts = :
# braindeads can use anything for user and password, so NO usable plaintext
server_condition = ${if or{\
{match_ip{$sender_host_address}{+auto_authed_hosts}}\
{OUR..NORMAL...CONDITION...REMOVED...HERE}\
}{1}{0}}
# -----------------------------------------------------------------------
Stucki
--
Christoph von Stuckrad * * |nickname |Mail <stucki@???> \
Freie Universitaet Berlin |/_*|'stucki' |Tel(Mo.,Mi.):+49 30 838-75 459|
Mathematik & Informatik EDV |\ *|if online| (Di,Do,Fr):+49 30 77 39 6600|
Takustr. 9 / 14195 Berlin * * |on IRCnet|Fax(home): +49 30 77 39 6601/