On 3/21/26 18:14, Omar Polo wrote:
> Hello tech,
> 
> some time ago we've introduced a K_AUTH table lookup method, to offload
> the authentication handling to a proc table.  This is different from the
> previous credentials tables because they are supposed to return the hash
> of a password for the given user.
> 
> The only problem with this is that we have a lowercase() before reaching
> the table itself, so for K_AUTH we end up lowercasing both the username
> and the password.
> 
> The cautious reader will realize that this will leave also the username
> with the original casing.  I'm a bit unsure about what to do.  For
> K_AUTH the caller code will construct a string "username:password"
> without changing the casing, then calls table_lookup().  Being pedantic,
> the username *could* be case-sensitive, so there's a small argument for
> keeping the case as-is.
> 
> okay?
> From a quick look through the opensmtpd-tables in ports, I'm unable to
find support for K_AUTH in any of them. And if there are tables out in
the wild who support this I would have expected someone to shout that
their users can't login (or someone needs to reconsider their password
policy if none of their users have an upper case in their password).

Considering the above I would suggest to remove K_AUTH entirely, instead
of adding more tentacles. If we want auth offloading at some point a
better API might be considered, but I reckon simply catting username and
password with a ':' isn't the most convenient for a consumer. Maybe
something like a challenge-response interface to allow for more SASL
mechanisms might be a better option.

martijn@

diff 561bf2d2294adbcad0c55924d4a54e4b0537e497 2939e4fdab3ed9289084c247c1f595b1b39f0adc
commit - 561bf2d2294adbcad0c55924d4a54e4b0537e497
commit + 2939e4fdab3ed9289084c247c1f595b1b39f0adc
blob - 2c04f2bee62cc67e01e8247405b96f5faf12ef04
blob + fd692bbf39368c0ac566d64daafe97067f8089b2
--- usr.sbin/smtpd/lka.c
+++ usr.sbin/smtpd/lka.c
@@ -722,7 +722,6 @@ static int
 lka_authenticate(const char *tablename, const char *user, const char *password)
 {
 	struct table		*table;
-	char	       		 offloadkey[LINE_MAX];
 	union lookup		 lk;
 
 	log_debug("debug: lka: authenticating for %s:%s", tablename, user);
@@ -733,26 +732,6 @@ lka_authenticate(const char *tablename, const char *us
 		return (LKA_TEMPFAIL);
 	}
 
-	/* table backend supports authentication offloading */
-	if (table_check_service(table, K_AUTH)) {
-		if (!bsnprintf(offloadkey, sizeof(offloadkey), "%s:%s",
-		    user, password)) {
-			log_warnx("warn: key serialization failed for %s:%s",
-			    tablename, user);
-			return (LKA_TEMPFAIL);
-		}
-		switch (table_match(table, K_AUTH, offloadkey)) {
-		case -1:
-			log_warnx("warn: user credentials lookup fail for %s:%s",
-			    tablename, user);
-			return (LKA_TEMPFAIL);
-		case 0:
-			return (LKA_PERMFAIL);
-		default:
-			return (LKA_OK);
-		}
-	}
-
 	switch (table_lookup(table, K_CREDENTIALS, user, &lk)) {
 	case -1:
 		log_warnx("warn: user credentials lookup fail for %s:%s",
blob - 4f362dc7ad555afd2c73419d44991ee31da743b1
blob + 305303a7461ac62595a89fb8b889237f70608978
--- usr.sbin/smtpd/smtpd-api.h
+++ usr.sbin/smtpd/smtpd-api.h
@@ -135,7 +135,6 @@ enum table_service {
 	K_RELAYHOST	= 0x200,	/* returns struct relayhost	*/
 	K_STRING	= 0x400,
 	K_REGEX		= 0x800,
-	K_AUTH		= 0x1000,
 };
 #define K_ANY		  0xffff
 
blob - aca013debeab51e319144b92b5ac154bb6dca1ec
blob + a9c724d91ddbf4290fac7ad503390562277f929d
--- usr.sbin/smtpd/table.c
+++ usr.sbin/smtpd/table.c
@@ -83,7 +83,6 @@ table_service_name(enum table_service s)
 	case K_RELAYHOST:	return "relayhost";
 	case K_STRING:		return "string";
 	case K_REGEX:		return "regex";
-	case K_AUTH:		return "auth";
 	}
 	return "???";
 }
@@ -117,8 +116,6 @@ table_service_from_name(const char *service)
 		return K_STRING;
 	if (!strcmp(service, "regex"))
 		return K_REGEX;
-	if (!strcmp(service, "auth"))
-		return K_AUTH;
 	return (-1);
 }