Got a safety issue on ubuntu (apache2 together with mod_authn_sasl). I can't seem to make the realm requirement a real requirement. It is possible to state "user@realm" as username during login to override the auth settings in apache. This leads to if I got two different sites with sasl password protection (say site "a" and site "b", realms same name as site), any user bound to realm "a" could access realm "b" by logging in with "username@a". Have tried several different configuration setups but I can't seem to find any solution.
My settings currently are :
<LocationMatch "/svnrel/login">
AuthType Basic
AuthName "Trac Authentication"
AuthBasicProvider sasl
AuthSaslAppname passwd
AuthSaslRealm svnrel
AuthBasicAuthoritative On
AuthSaslPwcheckMethod auxprop
Require valid-user
</LocationMatch>
This is indeed an issue. The module should check for @<realm> in usernames when an AuthSaslRealm is configured and compare the two before passing the username to the SASL lib. Thanks for the report. I'll provide a new version soon.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Got a safety issue on ubuntu (apache2 together with mod_authn_sasl). I can't seem to make the realm requirement a real requirement. It is possible to state "user@realm" as username during login to override the auth settings in apache. This leads to if I got two different sites with sasl password protection (say site "a" and site "b", realms same name as site), any user bound to realm "a" could access realm "b" by logging in with "username@a". Have tried several different configuration setups but I can't seem to find any solution.
My settings currently are :
<LocationMatch "/svnrel/login">
AuthType Basic
AuthName "Trac Authentication"
AuthBasicProvider sasl
AuthSaslAppname passwd
AuthSaslRealm svnrel
AuthBasicAuthoritative On
AuthSaslPwcheckMethod auxprop
Require valid-user
</LocationMatch>
and my saslauthd config for apache lists:
pwcheck_method: auxprox
auxprox_plugin: sasldb
mech_list: PLAIN
Versions: Apache = 2.2.14, mod_authn_sasl = 1.1-1
This is indeed an issue. The module should check for @<realm> in usernames when an AuthSaslRealm is configured and compare the two before passing the username to the SASL lib. Thanks for the report. I'll provide a new version soon.
AuthSaslRealm in v1.2 should work for you.