package libsasl2-modules provides only unsafe SASL bind mechanims
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| cyrus-sasl2 (Debian) |
Fix Released
|
Unknown
|
|||
| cyrus-sasl2 (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
| Jammy |
Fix Released
|
Undecided
|
Andreas Hasenack | ||
Bug Description
[ Impact ]
The SASL SCRAM mechanism is incorrectly part of the libsasl2-
Normally this would just be an annoyance, but it just so happens that this also prevents to have the SCRAM mechanism coexist with the GSSAPI Heimdal one, because libsasl2-
This change is moving a file from one package to another, so appropriate breaks/replaces changes have to be made. This move follows case #10 from the package transition table[1].
[ Test Plan ]
This test plan revolves around dependency checking and upgrades, to make sure we don't:
- have conflicting files which would break an upgrade
- have no loss of functionality after an upgrade (since a plugin moved between packages)
a) SCRAM remains installed
# Install the package that provides SCRAM in jammy
$ sudo apt install libsasl2-
# Confirm mechanism is there and belongs to libsasl2-
$ ll /usr/lib/
lrwxrwxrwx 1 root root 18 Aug 16 20:08 /usr/lib/
$ dpkg -S /usr/lib/
libsasl2-
# list installed sasl2 packages:
$ dpkg -l | grep -E "^ii.*sasl2" | awk '{print $2,$3}'
libsasl2-2:amd64 2.1.27+
libsasl2-
libsasl2-
libsasl2-
# dist-upgrade or install the new sasl2 packages from proposed
# Confirm the same packages are installed as before the upgrade, just at their newer versions:
libsasl2-2:amd64 2.1.27+
libsasl2-
libsasl2-
libsasl2-
# Confirm the scram mechanism is still there, as before:
$ ll /usr/lib/
lrwxrwxrwx 1 root root 18 Aug 16 20:08 /usr/lib/
# But now it belongs to the libsasl2-modules package:
$ dpkg -S /usr/lib/
libsasl2-
b) Following (a), perform a release-upgrade to kinetic, and confirm that the same sasl2 packages remain installed, but now at the kinetic version:
$ dpkg -l | grep -E "^ii.*sasl2" | awk '{print $2,$3}'
libsasl2-2:amd64 2.1.28+
libsasl2-
libsasl2-
libsasl2-
And that the scram mechanism is there, and still belongs to the libsasl2-modules package:
$ ll /usr/lib/
lrwxrwxrwx 1 root root 18 Aug 16 20:08 /usr/lib/
$ dpkg -S /usr/lib/
libsasl2-
c) A jammy system WITHOUT the SCRAM mechanism available (i.e., libsasl2-
# Start with these sasl2 packages installed on jammy:
libsasl2-2:amd64 2.1.27+
libsasl2-
libsasl2-
# Confirm SCRAM is not installed:
$ ll /usr/lib/
ls: cannot access '/usr/lib/
# Upgrade to the packages in proposed
# Confirm no new sasl2 packages were installed:
$ dpkg -l | grep -E "^ii.*sasl2" | awk '{print $2,$3}'
libsasl2-2:amd64 2.1.27+
libsasl2-
libsasl2-
# Verify that SCRAM is now available, and part of the libsasl2-modules package:
$ ll /usr/lib/
lrwxrwxrwx 1 root root 18 Aug 16 20:08 /usr/lib/
$ dpkg -S /usr/lib/
libsasl2-
# Perform a release upgrade to kinetic, and confirm that no new sasl2 package is installed, and that the SCRAM mechanism remains available as before, belonging to the libsasl2-modules package.
d) It's now possible to have SCRAM and gssapi heimdal mechanisms installed at the same time
# On jammy, install libsasl2-
$ sudo apt install libsasl2-
# Confirm SCRAM is available and part of the libsasl2-
$ ll /usr/lib/
lrwxrwxrwx 1 root root 18 Feb 22 2022 /usr/lib/
$ dpkg -S /usr/lib/
libsasl2-
# If you try to install libsasl2-
$ sudo apt install libsasl2-
(...)
The following packages will be REMOVED:
libsasl2-
(...)
$ dpkg -S /usr/lib/
dpkg-query: no path found matching pattern /usr/lib/
# IF, however, the above is attempted with the sasl2 packages from proposed available, then, even though libsasl2-
$ sudo apt install libsasl2-
(...)
The following packages will be REMOVED:
libsasl2-
(...)
The following packages will be upgraded:
libsasl2-modules
# And in the end we have libsasl2-modules and libsasl2-
$ dpkg -l | grep sasl2 | awk '{print $2,$3}'
libsasl2-2:amd64 2.1.27+
libsasl2-
libsasl2-
libsasl2-
$ dpkg -S /usr/lib/
libsasl2-
# A release upgrade to kinetic must not change this situation, besides the versions of the packages.
$ dpkg -l | grep sasl2 | awk '{print $2,$3}'
libsasl2-2:amd64 2.1.28+
libsasl2-
libsasl2-
libsasl2-
$ dpkg -S /usr/lib/
libsasl2-
[ Where problems could occur ]
Since this change is moving a file from one package to the other, the problems that could occur will most likely be related to dependencies, and failures to install the packages because of file conflicts. Another possibility is problems during release upgrades, also related to conflicting files. Finally, another possible issue would be users who had certain SASL mechanisms installed before, be without them after the upgrade.
The test plan tries to cover the above scenarios.
[ Other Info ]
This change comes from debian's 2.1.28+dfsg-4[2] upload, and is applied in kinetic and later.
1. https:/
2. https:/
[Original Description]
Current Cyrus libsasl2 packaging (Ubuntu Jammy) distributes SASL bind mechanims into different packages. Plained and shared secret mechanisms are provided by package libsasl2-modules:
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
The "safest" mechanism in this list is DIGEST-MD5, which is marked as obsolete by IANA and regarded as unsafe by IETF. Current safest standard mechanisms are SCRAM based (RFC7677).
All SCRAM family SASL mechanisms of Cyrus SASL are provided by Ubuntu package libsasl2-
/usr/lib/
/usr/lib/
/usr/lib/
But the focus of this package is GSSAPI and GS2 SASL mechanism, which have nothing to do with SCRAM. In addition, this package conflicts with package libsasl2-
Related branches
- git-ubuntu bot: Approve
- Bryce Harrington (community): Approve
- Canonical Server Reporter: Pending requested
-
Diff: 64 lines (+14/-4)4 files modifieddebian/changelog (+8/-0)
debian/control (+5/-3)
debian/libsasl2-modules-gssapi-mit.install (+0/-1)
debian/libsasl2-modules.install (+1/-0)
| rdratlos (rdratlos) wrote | #1 |
| Ubuntu Foundations Team Bug Bot (crichton) wrote | #2 |
| tags: | added: patch |
| Lucas Kanashiro (lucaskanashiro) wrote | #3 |
| Changed in cyrus-sasl2 (Ubuntu): | |
| status: | New → Fix Released |
| Changed in cyrus-sasl2 (Ubuntu Jammy): | |
| status: | New → Triaged |
| tags: | added: server-todo |
| Changed in cyrus-sasl2 (Ubuntu Jammy): | |
| assignee: | nobody → Andreas Hasenack (ahasenack) |
| Changed in cyrus-sasl2 (Ubuntu Jammy): | |
| status: | Triaged → In Progress |
| description: | updated |
| description: | updated |
| description: | updated |
| description: | updated |
| description: | updated |
| description: | updated |
| Changed in cyrus-sasl2 (Debian): | |
| status: | Unknown → Fix Released |
| description: | updated |
| Chris Halse Rogers (raof) wrote Please test proposed package | #4 |
| Changed in cyrus-sasl2 (Ubuntu Jammy): | |
| status: | In Progress → Fix Committed |
| tags: | added: verification-needed verification-needed-jammy |
| Andreas Hasenack (ahasenack) wrote | #5 |
| Andreas Hasenack (ahasenack) wrote | #6 |
| Andreas Hasenack (ahasenack) wrote | #7 |
| Andreas Hasenack (ahasenack) wrote | #8 |
| Andreas Hasenack (ahasenack) wrote | #9 |
| tags: |
added: verification-done-jammy removed: verification-needed-jammy |
| Chris Halse Rogers (raof) wrote Update Released | #10 |
| Launchpad Janitor (janitor) wrote | #11 |
| Changed in cyrus-sasl2 (Ubuntu Jammy): | |
| status: | Fix Committed → Fix Released |
Attached patch adds SCRAM family mechanisms to the SASL shared secret mechanims package. It has been tested on an LDAP client in three configurations:
- libsasl2-
- libsasl2-
- libsasl2-
For the latter two configurations also GSSAPI SASL authentication has been tested.