Feature #16002
closed
SCRAM-SHA-1(-PLUS) + SCRAM-SHA-256(-PLUS) + SCRAM-SHA-512(-PLUS) + SCRAM-SHA3-512(-PLUS) supports
0%
Description
Dear pfSense team,
I have discovered that "Notification E-Mail auth mechanism" supports are not good:
- https://pfsense/system_advanced_notifications.php
LOGIN PLAIN
Can you add SCRAM (Salted_Challenge Response Authentication Mechanism) support to have more security?
- https://en.wikipedia.org/wiki/Salted_Challenge_Response_Authentication_Mechanism
Thanks in advance.
- SCRAM-SHA-1
- SCRAM-SHA-1-PLUS
- SCRAM-SHA-256
- SCRAM-SHA-256-PLUS
- SCRAM-SHA-512
- SCRAM-SHA-512-PLUS
- SCRAM-SHA3-512
- SCRAM-SHA3-512-PLUS
"When using the SASL SCRAM mechanism, the SCRAM-SHA-256-PLUS variant SHOULD be preferred over the SCRAM-SHA-256 variant, and SHA-256 variants [RFC7677] SHOULD be preferred over SHA-1 variants [RFC5802]".
- SCRAM-SHA-1(PLUS): https://tools.ietf.org/html/rfc5802
-
-- https://tools.ietf.org/html/rfc6120
- SCRAM-SHA-256(PLUS): https://tools.ietf.org/html/rfc7677 since 2015-11-02
-
-- https://tools.ietf.org/html/rfc8600 since 2019-06-21: https://mailarchive.ietf.org/arch/msg/ietf-announce/suJMmeMhuAOmGn_PJYgX5Vm8lNA
- SCRAM-SHA-512(PLUS): https://tools.ietf.org/html/draft-melnikov-scram-sha-512
-
- SCRAM-SHA3-512(PLUS): https://tools.ietf.org/html/draft-melnikov-scram-sha3-512
-
- SCRAM BIS: Salted Challenge Response Authentication Mechanism (SCRAM) SASL and GSS-API Mechanisms:
-- https://tools.ietf.org/html/draft-melnikov-scram-bis
https://xmpp.org/extensions/inbox/hash-recommendations.html
PLUS variants: RFC5056: On the Use of Channel Bindings to Secure Channels: https://tools.ietf.org/html/rfc5056
- RFC5929: Channel Bindings for TLS: https://tools.ietf.org/html/rfc5929
- Channel-Binding Types: https://www.iana.org/assignments/channel-binding-types/channel-binding-types.xhtml
- RFC 9266: Channel Bindings for TLS 1.3: https://tools.ietf.org/html/rfc9266
IMAP:
- RFC9051: Internet Message Access Protocol (IMAP) - Version 4rev2: https://tools.ietf.org/html/rfc9051
LDAP:
- RFC5803: Lightweight Directory Access Protocol (LDAP) Schema for Storing Salted: Challenge Response Authentication Mechanism (SCRAM) Secrets: https://tools.ietf.org/html/rfc5803
HTTP:
- RFC7804: Salted Challenge Response HTTP Authentication Mechanism: https://tools.ietf.org/html/rfc7804
2FA:
- Extensions to Salted Challenge Response (SCRAM) for 2 factor authentication: https://datatracker.ietf.org/doc/html/draft-ietf-kitten-scram-2fa
IANA:
- Simple Authentication and Security Layer (SASL) Mechanisms: https://www.iana.org/assignments/sasl-mechanisms/sasl-mechanisms.xhtml
Linked to:
- https://github.com/scram-xmpp/info/issues/1
Updated by Kris Phillips 4 months ago
- Tracker changed from Bug to Feature
- Priority changed from High to Normal
- Affected Version deleted (
All) - Affected Architecture deleted (
All)
Moving from Bug Report to Feature Request, as this is not a Bug.
Updated by Jim Pingle 4 months ago
- Category changed from Authentication to Notifications
- Status changed from New to Needs Patch
We do not directly implement that layer, we use PHP libraries (e.g. Mail which uses Net_SMTP ) for these functions and they do not support these methods. They would have to first be implemented upstream before they could be activated for use on pfSense software.
Updated by Neustradamus - 4 months ago
SCRAM is supported by Net_SMTP which uses Auth_SASL or Auth_SASL2:
- https://github.com/pear/Net_SMTP?tab=readme-ov-file#scram
Not yet -PLUS variants.