Re: [os-libsynthesis] server login without credential check

Mon, 09 Nov 2009 02:08:17 -0800 

Hello Patrick,
There are two levels. <requestedauth> and <requiredauth> define what is requested from the client and what is accepted from the client on the protocol level. 


The second level is the authentication against the backend, which in a  
multi-user environment normally needs to know at least a user name (or  
the absence of it), even if no real credential check is performed. So  
the DB-Plugin's SessionLogin() is normally always called. It can be  
prevented by explicitly returning true or false in <logininitscript>  
(so a simple return TRUE in the script will let pass any login and  
never call SessionLogin()).



Now there's a special case when the SyncML message does not provide  
any credentials. Even in this case, the engine does a login towards  
the database with a pseudo user name of "anonymous". I checked the  
handling of this case in the plugin API and found that it was not  
handled very nicely in all cases (Password_xxxx modes).


So I added better handling as follows for anonymous login:


- for the modes that pass a credential *into* the plugin to check  
(Password_ClrText_IN and Password_MD5_IN), a empty string will be  
passed along with user name "anonymous".



- for the modes where the plugin *returns* a credential string for the  
engine to check (Password_ClrText_OUT and Password_MD5_OUT), the  
engine checks if that returned string is empty; if it is not,  
anonymous login is rejected.



I just pushed this as "d468580dac (anonymous login: improved passing  
anonymous login attempts to DB Api)" to luz on indefero.



Now for your change - I disagree because it makes it impossible for a  
DB plugin to handle invalid, anonymous AND regular logins. The purpose  
of <requiredauth> is just an extra security barrier to set a minimal  
login requirement. Setting it to "none" should not mean that  
necessarily *all* sync attempts need no credentials, but allows that  
*some* might not need them. In any case, the DB layer (or the  
<loginXXX> scripts) decides about allowing a session or not on a case- 
by-case basis.



For a server that does not need any checking, just put a "return TRUE"  
into <logininitscript>.


Best Regards,

Lukas

On Nov 3, 2009, at 12:01 , Patrick Ohly wrote:


For the case that a client contacts the server via Bluetooth (and thus

must have paired successfully) I'd like to accept the connection  
request

regardless which credentials the client provides.

I'm running with the following configuration:
   <server type='plugin'>
   <plugin_module>SyncEvolution</plugin_module>
   <plugin_sessionauth>yes</plugin_sessionauth>
   <plugin_deviceadmin>yes</plugin_deviceadmin>
   <requestedauth>none</requestedauth>
   <requiredauth>none</requiredauth>
   <autononce>yes</autononce>

This redirects session and device handling calls into SyncEvolution
code. It always returns Password_ClrText_OUT as password mode. I see
that our Session_Login() is called from here:


#0  sysync::TCustomImplAgent::SessionLogin (this=0x2b3d110,  
aUserName=0x2aca500 "test",
   aAuthString=0x2aca670 "rKOc35gVO51AvKnMKMIskw==",  
aAuthStringType=sysync::sectyp_md5_V11,

   aDeviceID=0x2acaa18 "sc-pim-117cdd45-3892-4a2d-ae62-4c98cb0f3eae")

   at /home/pohly/syncevolution/libsynthesis/src/sysync/ 
customimplagent.cpp:815
#1  0x0000000000683f81 in sysync::TSyncSession::checkCredentials  
(this=0x2b3d110,
   aUserName=0x2aca500 "test", aCred=0x2aca670  
"rKOc35gVO51AvKnMKMIskw==", aAuthType=sysync::auth_md5)
   at /home/pohly/syncevolution/libsynthesis/src/sysync/ 
syncsession.cpp:4048
#2  0x0000000000685657 in sysync::TSyncSession::checkCredentials  
(this=0x2b3d110,
   aUserName=0x2aca500 "test", aCredP=0x2aca520,  
astatuscomma...@0x2aca840)
   at /home/pohly/syncevolution/libsynthesis/src/sysync/ 
syncsession.cpp:3981
#3  0x0000000000771726 in sysync::TSyncAgent::ServerMessageStarted  
(this=0x2b3d110,

   aContentP=0x2aca2d0, astatuscomma...@0x2aca840, aBad=false)

   at /home/pohly/syncevolution/libsynthesis/src/sysync/ 
syncagent.cpp:1814
#4  0x000000000076d7b4 in sysync::TSyncAgent::MessageStarted  
(this=0x2b3d110, aContentP=0x2aca2d0,

   astatuscomma...@0x2aca840, aBad=false)

In other words, despite
       <requestedauth>none</requestedauth>
       <requiredauth>none</requiredauth>
credentials are checked and have to match.

Should these settings have an effect when using the DB to authenticate

users? It doesn't seem that they do, but I also don't see any other  
way

to disable the login check.

Hmm, perhaps I misunderstood the meaning of these settings. In

TSyncAgent::isAuthTypeAllowed() I see that fRequiredAuth is checked  
only

to see whether the client's credentials are "strong" enough. If the
client provides credentials, they still have to be correct.

In TSyncSession::checkCredentials(), the relevant code is this:

     // first check credentials
     // NOTE: This must be done first, to force calling SessionLogin
     //       in all cases
     authok=checkCredentials(aUserName,authdata,authtype);
     // now check result
     if (!isAuthTypeAllowed(authtype)) {

       aStatusCommand.setStatusCode(401); // we need another auth  
type, tell client which one

       authok=false; // anyway, reject

       PDEBUGPRINTFX(DBG_ERROR,("Authorization failed (wrong type of  
creds), sending 401 + chal"));

     }
     else if (!authok) {
       // auth type allowed, but auth itself not ok

       aStatusCommand.setStatusCode(401); // unauthorized, bad  
credentials
       PDEBUGPRINTFX(DBG_ERROR,("Authorization failed (invalid  
credentials) sending 401 + chal"));

     }
     if (!authok) {
       // - add challenge
       aStatusCommand.setChallenge(newSessionChallenge());
     }


Would it be okay to add something like this before "else if (! 
authok)"?

It solves the problem for me.

     if (!authok && isAuthTypeAllowed(auth_none)) {
       authok = true;
     }


That changes the meaning of <requiredauth>none</requiredauth> from  
"all

kinds of authentication methods allowed, including none" to "all kinds
of credentials allowed, including invalid ones". Because a client with

invalid credentials was already allowed to connect by not sending  
them,
this doesn't make a server setup less secure. It has the advantage  
that

the client setup becomes easier.

I added my patch to the "master" branch on moblin.org, because it is
needed for SyncEvolution. Please merge if you agree with this change.

--
Best Regards, Patrick Ohly

The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.



_______________________________________________
os-libsynthesis mailing list
os-libsynthesis@synthesis.ch
http://lists.synthesis.ch/mailman/listinfo/os-libsynthesis


Lukas Zeller (l...@synthesis.ch)
-
Synthesis AG, SyncML Solutions  & Sustainable Software Concepts
i...@synthesis.ch, http://www.synthesis.ch





_______________________________________________
os-libsynthesis mailing list
os-libsynthesis@synthesis.ch
http://lists.synthesis.ch/mailman/listinfo/os-libsynthesis






















					Reply via email to