automatic commit

cyrusimap · Jul 22, 2023 · 6131885 · 6131885
1 parent 8a8e5fc
commit 6131885
Show file tree

Hide file tree

Showing 38 changed files with 136 additions and 292 deletions.
diff --git a/sasl/_sources/index.txt b/sasl/_sources/index.txt
@@ -18,7 +18,7 @@ Features
 --------
 Cyrus SASL provides a number of authentication plugins out of the box.
 
-    LMDB, GDBM, or NDBM (sasldb), PAM, MySQL, PostgreSQL, SQLite, LDAP, Active Directory (LDAP), DCE, Kerberos 5, proxied IMAP auth, getpwent, shadow, SIA, Courier Authdaemon, httpform, APOP and SASL mechanisms: ANONYMOUS, CRAM-MD5, DIGEST-MD5, EXTERNAL, GSSAPI, LOGIN, OTP, PASSDSS, PLAIN, SCRAM, SRP
+    LMDB, GDBM, or NDBM (sasldb), PAM, MySQL, PostgreSQL, SQLite, LDAP, Active Directory (LDAP), DCE, Kerberos 5, proxied IMAP auth, getpwent, shadow, SIA, Courier Authdaemon, httpform, APOP and SASL mechanisms: ANONYMOUS, CRAM-MD5, EXTERNAL, GSSAPI, LOGIN, OTP, PASSDSS, PLAIN, SCRAM, SRP
 
 .. _SASL: https://en.wikipedia.org/wiki/Simple_Authentication_and_Security_Layer
 

diff --git a/sasl/_sources/sasl/authentication_mechanisms.txt b/sasl/_sources/sasl/authentication_mechanisms.txt
@@ -31,15 +31,6 @@ Documented in a `RFC Draft: draft-ietf-sasl-crammd5 <https://tools.ietf.org/html
 .. warning::
    The CRAM-MD5 SASL mechanism is obsolete. It has been moved to Historic in `draft-ietf-sasl-crammd5-to-historic <https://tools.ietf.org/html/draft-ietf-sasl-crammd5-to-historic-00>`_
 
-DIGEST-MD5
-----------
-
-This mechanism improves upon the :ref:`MECH-CRAM-MD5` mechanism by avoiding the need for the server to store plaintext passwords.
-With digest authentication the server needs to store the **MD5 digest** of the users password which helps to make the system more secure.
-As in :ref:`MECH-CRAM-MD5` the password is hashed with a server nonce and other data before being transmitted across the network.
-
-Defined in :rfc:`2831`
-
 EXTERNAL
 --------
 
@@ -173,8 +164,6 @@ of the mechanisms provided by the Cyrus SASL Library.
 +-------------+---------+---------+----------+--------+---------+--------+------+--------+-----------+--------------+----------+-------+------+------+
 | CRAM-MD5    | 0       | X       |          |        |         | X      |      |        |           | X            |          |       |      |      |
 +-------------+---------+---------+----------+--------+---------+--------+------+--------+-----------+--------------+----------+-------+------+------+
-| DIGEST-MD5  | 128     | X       |          |        |         | X      |      | X      | reauth    | initial auth | X        | X     |      | X    |
-+-------------+---------+---------+----------+--------+---------+--------+------+--------+-----------+--------------+----------+-------+------+------+
 | EXTERNAL    | 0       | X       |          | X      |         | X      |      |        | X         |              |          | X     |      |      |
 +-------------+---------+---------+----------+--------+---------+--------+------+--------+-----------+--------------+----------+-------+------+------+
 | GS2         | 56      | X       | X        |        |         | X      |      | X      | X         |              | X        | X     | X    |      |

diff --git a/sasl/_sources/sasl/components.txt b/sasl/_sources/sasl/components.txt
@@ -99,7 +99,7 @@ Plugins: SASL Mechanisms
 ------------------------
 
 The simplest types of plugins to understand are those which provide
-SASL mechanisms, such as CRAM-MD5, DIGEST-MD5, GSSAPI, PLAIN, SCRAM, SRP, and so on.
+SASL mechanisms, such as CRAM-MD5, GSSAPI, PLAIN, SCRAM, SRP, and so on.
 These mechanisms take care of both server-side and client-side parts
 of the SASL negotiation.  If the given mechanism supports a security layer
 (that is, makes guarantees about privacy or integrity of data after the
@@ -125,7 +125,7 @@ Password Verification Mechanisms
     of the password.
 Shared Secret Mechanisms
     For these mechanisms,
-    such as CRAM-MD5, DIGEST-MD5, OTP, SCRAM, and SRP,
+    such as CRAM-MD5, OTP, SCRAM, and SRP,
     there is a shared secret between the server and client (e.g. a password).
     However, in this case the password itself does not travel on the wire.
     Instead, the client passes a server a token that proves that it knows

diff --git a/sasl/_sources/sasl/developer/plugprog.txt b/sasl/_sources/sasl/developer/plugprog.txt
@@ -143,7 +143,7 @@ SASL_FEAT_SERVER_FIRST
 
 If neither flag is set, the mechanism will handle the client-send
 first situation internally, because the client may or may not send
-first.  (e.g. DIGEST-MD5).  In this case, the plugin must
+first.  In this case, the plugin must
 intelligently check for the presence (or absence) of clientin/serverin
 data.  Note that the optional client send-first is only possible when the
 protocol permits an initial response.
@@ -154,7 +154,7 @@ setting \*serverout when the step function returns SASL_OK.
 * For mechanisms
   which never send last (e.g. PLAIN), \*serverout must be set to NULL.
 * For
-  mechanisms which always send last (e.g. DIGEST-MD5), \*serverout must
+  mechanisms which always send last, \*serverout must
   point to the success data.
 * For mechanisms in which the server may or
   may not send last (e.g. SRP), \*serverout must be set accordingly.

diff --git a/sasl/_sources/sasl/developer/testing.txt b/sasl/_sources/sasl/developer/testing.txt
@@ -43,7 +43,7 @@ chance these will need to be escaped for proper interpretation by the shell):
     > ./sample-client -i local=128.2.121.162;23,remote=128.2.121.162;23 -s rcmd -n SPOOKY.ANDREW.CMU.EDU
     Waiting for mechanism list from server...
     S: UExBSU4gQU5PTllNT1VTIEtFUkJFUk9TX1Y0IERJR0VTVC1NRDUgQ1JBTS1NRDUgAAAAAED5EEA=
-    Choosing best mechanism from: PLAIN ANONYMOUS GSSAPI DIGEST-MD5 CRAM-MD5
+    Choosing best mechanism from: PLAIN ANONYMOUS GSSAPI CRAM-MD5
     Using mechanism GSSAPI
     Preparing initial.
     Sending initial response...

diff --git a/sasl/_sources/sasl/faqs/crammd5-digestmd5-scram.txt b/sasl/_sources/sasl/faqs/crammd5-digestmd5-scram.txt
@@ -1,10 +1,10 @@
-Why do CRAM-MD5, DIGEST-MD5 and SCRAM not work with CyrusSaslauthd?
--------------------------------------------------------------------
+Why do CRAM-MD5 and SCRAM not work with CyrusSaslauthd?
+-------------------------------------------------------
 
 Saslauthd is only capable of verifying plaintext passwords (it takes a 
 plaintext password and a username and responds with "yes" or "no", 
 essentially). Therefore, since the plaintext password isn't passed from 
-client to server in SCRAM, DIGEST-MD5 and CRAM-MD5, Saslauthd can't verify the 
+client to server in SCRAM and CRAM-MD5, Saslauthd can't verify the 
 password. 
 
 Authentication in a CyrusSaslauthd-only environment will not only fail 

diff --git a/sasl/_sources/sasl/faqs/openldap-sasl-gssapi.txt b/sasl/_sources/sasl/faqs/openldap-sasl-gssapi.txt
@@ -6,10 +6,10 @@ This article assumes that you have read and followed the SASL chapter of the `Op
 To verify that you have the Cyrus :ref:`GSSAPI <gssapi>` mechanism properly installed, use the pluginviewer command. For instance::
 
     server:~# pluginviewer  | grep -i gssapi
-     CRAM-MD5 PLAIN GSSAPI OTP DIGEST-MD5 ANONYMOUS LOGIN EXTERNAL
+     CRAM-MD5 PLAIN GSSAPI OTP ANONYMOUS LOGIN EXTERNAL
     Plugin "gssapiv2" [loaded],     API version: 4
            SASL mechanism: GSSAPI, best SSF: 56, supports setpass: no
-    CRAM-MD5 PLAIN GSSAPI OTP DIGEST-MD5 ANONYMOUS LOGIN EXTERNAL
+    CRAM-MD5 PLAIN GSSAPI OTP ANONYMOUS LOGIN EXTERNAL
     Plugin "gssapiv2" [loaded],     API version: 4
            SASL mechanism: GSSAPI, best SSF: 56
 
@@ -19,7 +19,6 @@ On your client system, search the Root DSE of the server to view advertised mech
 
     client:~# ldapsearch -LLL -x -H ldap://ldap.example.org -s "base" -b "" supportedSASLMechanisms
     dn:
-    supportedSASLMechanisms: DIGEST-MD5
     supportedSASLMechanisms: GSSAPI
     supportedSASLMechanisms: OTP
     supportedSASLMechanisms: CRAM-MD5
@@ -35,7 +34,7 @@ For more control over how the SASL library operates within the OpenLDAP? server,
 For instance, if you create /usr/lib/sasl2/slapd.conf (assuming that is the correct location on your system) with the following contents::
 
     keytab: /etc/krb5.keytab-ldap
-    mech_list: CRAM-MD5 DIGEST-MD5 GSSAPI
+    mech_list: CRAM-MD5 GSSAPI
 
 then the server will search within /etc/krb5.keytab-ldap when initializing the GSSAPI plugin. The server will only offer the mechanisms listed in mech_list. If mech_list is not specified, the server will offer all the mechanisms available, and that it can initialize.
 
@@ -46,7 +45,6 @@ Once you have verified that the server is advertising GSSAPI support, then try::
     SASL username: host/[email protected]
     SASL SSF: 56 SASL data security layer installed.
     dn:
-    supportedSASLMechanisms: DIGEST-MD5
     supportedSASLMechanisms: GSSAPI
     supportedSASLMechanisms: OTP
     supportedSASLMechanisms: CRAM-MD5

diff --git a/sasl/_sources/sasl/faqs/plaintextpasswords.txt b/sasl/_sources/sasl/faqs/plaintextpasswords.txt
@@ -1,20 +1,13 @@
 Why does CyrusSasl store plaintext passwords in its databases?
 --------------------------------------------------------------
 
-To operate with the CRAM-MD5, DIGEST-MD5 and SCRAM mechanisms, Cyrus SASL 
+To operate with the CRAM-MD5 and SCRAM mechanisms, Cyrus SASL 
 stores plaintext versions of the passwords in its secret database (an 
 AuxpropPlugin). 
 
 This is typically regarded as insecure practice, however the alternative 
-is not much better. For CRAM-MD5, DIGEST-MD5 and SCRAM to function, they must 
+is not much better. For CRAM-MD5 and SCRAM to function, they must 
 have a plaintext equivalent locally in order to confirm the hash that 
 actually goes across a wire. This, if these equivalents were 
 compromised, it is trivially easy for an attacker to have access to any 
 account on the system. 
-
-Note that for DIGEST-MD5 this isn't strictly true: the hash that DIGEST 
-can use limits the attack to only the realm for which the password 
-applies, but this is a questionable security gain for the increased 
-management hassles (you can't share them between mechanisms) that the 
-plaintext equivalents cause. 
-
diff --git a/sasl/_sources/sasl/faqs/rfcs.txt b/sasl/_sources/sasl/faqs/rfcs.txt
@@ -9,7 +9,6 @@ RFCs and drafts
 * :rfc:`2222#section-7.1` - Simple Authentication and Security Layer (SASL) (KERBEROS_V4)
 * :rfc:`2444` - The One-Time-Password SASL Mechanism (OTP)
 * :rfc:`2808` - The SecurID(r) SASL Mechanism
-* :rfc:`2831` - Using Digest Authentication as a SASL Mechanism (historic: :rfc:`6331`)
 * :rfc:`4120` - The Kerberos Network Authentication Service (V5)
 * :rfc:`4178` - The Simple and Protected GSS-API Negotiation (SPNEGO) mechanism
 * :rfc:`4422` - Simple Authentication and Security Layer (SASL)

diff --git a/sasl/_sources/sasl/installation.txt b/sasl/_sources/sasl/installation.txt
@@ -75,7 +75,7 @@ installation:
 
 
 1.  What mechanisms do you want to support?  Are they plaintext (LOGIN, PLAIN),
-shared secret (SCRAM, DIGEST-MD5, CRAM-MD5), or Kerberos (GSSAPI)?
+shared secret (SCRAM, CRAM-MD5), or Kerberos (GSSAPI)?
 Perhaps you will use some combination (generally plaintext with one of
 the other two types).
 2.  Given the answer to the previous question, how will the mechanisms
@@ -142,10 +142,10 @@ resources to load a given plugin, even if that plugin is otherwise unused
 (even when it is disabled via the :option:`mech_list` option).
 
 As of this writing, modules that are enabled by default but may not
-be applicable to all systems include CRAM-MD5, DIGEST-MD5, SCRAM, OTP,
+be applicable to all systems include CRAM-MD5, SCRAM, OTP,
 GSSAPI, PLAIN, and ANONYMOUS.  These can be disabled with::
 
-    ``--disable-cram``, ``--disable-digest``,
+    ``--disable-cram``,
     ``--disable-scram``, ``--disable-otp``,
     ``--disable-gssapi``,
     ``--disable-plain``, and ``--disable-anon`` respectively.

diff --git a/sasl/_sources/sasl/options.txt b/sasl/_sources/sasl/options.txt
@@ -209,7 +209,7 @@ Examples
    ldapdb_uri: ldap://ldap.example.com
    ldapdb_id: root
    ldapdb_pw: secret
-   ldapdb_mech: DIGEST-MD5
+   ldapdb_mech: SCRAM
    ldapdb_canon_attr: uid
 
 The LDAP server must be configured to map the SASL authcId "root" into a DN
@@ -251,16 +251,6 @@ OTP
 
    Default: md5
 
-Digest-md5
-==========
-
-.. option:: reauth_timeout [<minutes>]
-
-   Length in time (in minutes) that authentication info will be
-   cached for a fast reauth.  A value of 0 will disable reauth.
-
-   Default: 0 - reauth disabled.
-
 SASLDB
 ======
 

diff --git a/sasl/_sources/sasl/quickstart.txt b/sasl/_sources/sasl/quickstart.txt
@@ -18,7 +18,6 @@ this distribution:
 
 *  ANONYMOUS
 *  CRAM-MD5
-*  DIGEST-MD5 (requires OpenSSL libcrypto)
 *  EXTERNAL
 *  GSSAPI (MIT Kerberos 5, Heimdal Kerberos 5 or CyberSafe)
 *  LOGIN

diff --git a/sasl/_sources/sasl/reference/manpages/library/sasl_listmech.txt b/sasl/_sources/sasl/reference/manpages/library/sasl_listmech.txt
@@ -63,7 +63,7 @@ Example
 
 may give the following string as a result:
 
-    `(ANONYMOUS,GSSAPI,DIGEST‐MD5)`
+    `(ANONYMOUS,GSSAPI)`
 
 Return Value
 ============

diff --git a/sasl/_sources/sasl/sysadmin.txt b/sasl/_sources/sasl/sysadmin.txt
@@ -222,7 +222,7 @@ Shared secrets mechanisms
 -------------------------
 
 The Cyrus SASL library also supports some "shared secret"
-authentication methods: CRAM-MD5, DIGEST-MD5 and its successor SCRAM.
+authentication methods: CRAM-MD5 and SCRAM.
 These methods rely on the client and the server sharing a "secret",
 usually a password.  The server generates a challenge and the client a
 response proving that it knows the shared secret.  This is much more
@@ -295,7 +295,7 @@ The OTP mechanism
 -----------------
 
 The Cyrus SASL library also supports the One-Time-Password (OTP)
-mechanism.  This mechanism is similar to CRAM-MD5, DIGEST-MD5, SCRAM
+mechanism.  This mechanism is similar to CRAM-MD5, SCRAM
 and SRP in that is uses a shared secret and a challenge/response exchange.
 However, OTP is more secure than the other shared secret mechanisms in
 that the secret is used to generate a sequence of one-time (single
@@ -403,7 +403,7 @@ Why doesn't OTP doesn't appear as an available mechanism?
     be readable by the Cyrus user.  By default, the library looks for the
     opiekeys in ``/etc/opiekeys``, but it's configurable using the
     :option:`opiekeys` option.
-Why don't CRAM-MD5, DIGEST-MD5 and SCRAM work with my old sasldb?
+Why don't CRAM-MD5 and SCRAM work with my old sasldb?
     Because sasldb now stores plaintext passwords only, the old
     sasldb is incompatible.
 I'm having performance problems on each authentication, there is a noticeable slowdown when sasl initializes, what can I do?

diff --git a/sasl/developer.html b/sasl/developer.html
@@ -194,7 +194,6 @@ <h1>Cyrus SASL</h1>
 </ul>
 </li>
 <li class="toctree-l3"><a class="reference internal" href="sasl/options.html#otp">OTP</a></li>
-<li class="toctree-l3"><a class="reference internal" href="sasl/options.html#digest-md5">Digest-md5</a></li>
 <li class="toctree-l3"><a class="reference internal" href="sasl/options.html#sasldb">SASLDB</a><ul>
 <li class="toctree-l4"><a class="reference internal" href="sasl/options.html#notes-on-sasldb-with-lmdb">Notes on sasldb with LMDB</a></li>
 </ul>
@@ -320,7 +319,6 @@ <h1>Cyrus SASL</h1>
 <li class="toctree-l3"><a class="reference internal" href="sasl/authentication_mechanisms.html#mechanisms">Mechanisms</a><ul>
 <li class="toctree-l4"><a class="reference internal" href="sasl/authentication_mechanisms.html#anonymous">ANONYMOUS</a></li>
 <li class="toctree-l4"><a class="reference internal" href="sasl/authentication_mechanisms.html#cram-md5">CRAM-MD5</a></li>
-<li class="toctree-l4"><a class="reference internal" href="sasl/authentication_mechanisms.html#digest-md5">DIGEST-MD5</a></li>
 <li class="toctree-l4"><a class="reference internal" href="sasl/authentication_mechanisms.html#external">EXTERNAL</a></li>
 <li class="toctree-l4"><a class="reference internal" href="sasl/authentication_mechanisms.html#gs2">GS2</a></li>
 <li class="toctree-l4"><a class="reference internal" href="sasl/authentication_mechanisms.html#gssapi">GSSAPI</a></li>
@@ -348,7 +346,7 @@ <h1>Cyrus SASL</h1>
 </li>
 <li class="toctree-l2"><a class="reference internal" href="sasl/faq.html">Frequently Asked Questions</a><ul>
 <li class="toctree-l3"><a class="reference internal" href="sasl/faqs/authorize-vs-authenticate.html">What is the difference between an Authorization ID and a Authentication ID?</a></li>
-<li class="toctree-l3"><a class="reference internal" href="sasl/faqs/crammd5-digestmd5-scram.html">Why do CRAM-MD5, DIGEST-MD5 and SCRAM not work with CyrusSaslauthd?</a></li>
+<li class="toctree-l3"><a class="reference internal" href="sasl/faqs/crammd5-digestmd5-scram.html">Why do CRAM-MD5 and SCRAM not work with CyrusSaslauthd?</a></li>
 <li class="toctree-l3"><a class="reference internal" href="sasl/faqs/openldap-sasl-gssapi.html">How do I configure OpenLDAP +SASL+GSSAPI?</a></li>
 <li class="toctree-l3"><a class="reference internal" href="sasl/faqs/plaintextpasswords.html">Why does CyrusSasl store plaintext passwords in its databases?</a></li>
 <li class="toctree-l3"><a class="reference internal" href="sasl/faqs/rfcs.html">RFCs and drafts</a></li>