[ARGUS] sasl a solution (ugly, but a solution :-))

Carter Bullard carter at qosient.com
Thu Aug 12 19:58:28 EDT 2004


Hey Peter,
   So we do need the patch below?
Carter


> From: Peter Van Epp <vanepp at sfu.ca>
> Date: Wed, 11 Aug 2004 13:06:31 -0700
> To: <argus-info at lists.andrew.cmu.edu>
> Subject: [ARGUS] sasl a solution (ugly, but a solution :-))
> 
> After much head scratching and searching documentation and the sasl
> mailing list I finally realized the problem is their shared secret and what
> I want for shared secret (an ssh like host key) aren't the same. The reason
> I haven't been able to figure out how to do shared secret without a user on
> the far end is because sasl isn't intended to do that (at least I think thats
> the case). The solution is to hack the argus code to hard code user id
> argus (twice, once as the authenticating user and once as the effective
> user which is why there are two user prompts) and a hard coded password (which
> all of which should move to a root owned file somewhere rather than being
> hard coded). With this change ra can connect via sasl without user interaction
> which is what I need for unattended operation.
> You then need to use saslpasswd on the argus server to set user name
> argus and the password that you hard coded in place of passwd in the code
> below in to the sasl password db.
> Now ra can connect to the server with no user interaction across the
> secure link. If someone can read the password you probably have bigger
> problems
> than them being able to access your argus server, so while insecure, this is
> probably OK (and moreover it does what I need to do right now which is
> establish a restartable link between 2 of my machines across an untrusted
> network :-)).
> 
> Peter Van Epp / Operations and Technical Support
> Simon Fraser University, Burnaby, B.C. Canada
> 
> *** common/argus_auth.c.orig Wed Aug 11 12:45:25 2004
> --- common/argus_auth.c Wed Aug 11 12:46:11 2004
> ***************
> *** 80,86 ****
> --- 80,90 ----
>   
>   #include <ctype.h>
>   #include <assert.h>
> + #if defined(__FreeBSD__)
> + #include "/usr/local/include/sasl1/sasl.h"
> + #else
>   #include <sasl.h>
> + #endif
>   
>   #endif /* ARGUS_SASL */
>   
> ***************
> *** 294,301 ****
>      switch (id) {
>         case SASL_CB_USER:
>            if (ustr == NULL) {
> !             printf("please enter an authorization id: ");
> !             fgets(RaSimpleBuf, sizeof RaSimpleBuf, stdin);
>   
>            } else {
>               if ((ptr = strchr(ustr, '/')) != NULL)
> --- 298,309 ----
>      switch (id) {
>         case SASL_CB_USER:
>            if (ustr == NULL) {
> ! /*            printf("please enter an authorization id: ");
> !             fgets(RaSimpleBuf, sizeof RaSimpleBuf, stdin); */
> ! 
> !  /* kludge in user id "argus" with a fixed password ... */
> !      strcpy(RaSimpleBuf,"argus");
> !      
>   
>            } else {
>               if ((ptr = strchr(ustr, '/')) != NULL)
> ***************
> *** 317,324 ****
>                  ptr++;
>   
>            if (ptr == NULL) {
> !             printf("please enter an authentication id: ");
> !             fgets(RaSimpleBuf, sizeof RaSimpleBuf, stdin);
>            } else
>               sprintf (RaSimpleBuf, "%s", ptr);
>   
> --- 325,334 ----
>                  ptr++;
>   
>            if (ptr == NULL) {
> ! /*            printf("please enter an authentication id: ");
> !             fgets(RaSimpleBuf, sizeof RaSimpleBuf, stdin);    */
> ! 
> !      strcpy(RaSimpleBuf,"argus");
>            } else
>               sprintf (RaSimpleBuf, "%s", ptr);
>   
> ***************
> *** 346,351 ****
> --- 356,364 ----
>   char *
>   getpassphrase(const char *prompt)
>   {
> + 
> +   /* set a password here to avoid the prompts ... */
> +   return ("passwrd");
>     return getpass(prompt);
>   }
>   #endif /* ! HAVE_GETPASSPHRASE */
> 





More information about the argus mailing list