[ARGUS] sasl a solution (ugly, but a solution :-))
Carter Bullard
carter at qosient.com
Thu Aug 12 19:58:28 EDT 2004
Hey Peter,
So we do need the patch below?
Carter
> From: Peter Van Epp <vanepp at sfu.ca>
> Date: Wed, 11 Aug 2004 13:06:31 -0700
> To: <argus-info at lists.andrew.cmu.edu>
> Subject: [ARGUS] sasl a solution (ugly, but a solution :-))
>
> After much head scratching and searching documentation and the sasl
> mailing list I finally realized the problem is their shared secret and what
> I want for shared secret (an ssh like host key) aren't the same. The reason
> I haven't been able to figure out how to do shared secret without a user on
> the far end is because sasl isn't intended to do that (at least I think thats
> the case). The solution is to hack the argus code to hard code user id
> argus (twice, once as the authenticating user and once as the effective
> user which is why there are two user prompts) and a hard coded password (which
> all of which should move to a root owned file somewhere rather than being
> hard coded). With this change ra can connect via sasl without user interaction
> which is what I need for unattended operation.
> You then need to use saslpasswd on the argus server to set user name
> argus and the password that you hard coded in place of passwd in the code
> below in to the sasl password db.
> Now ra can connect to the server with no user interaction across the
> secure link. If someone can read the password you probably have bigger
> problems
> than them being able to access your argus server, so while insecure, this is
> probably OK (and moreover it does what I need to do right now which is
> establish a restartable link between 2 of my machines across an untrusted
> network :-)).
>
> Peter Van Epp / Operations and Technical Support
> Simon Fraser University, Burnaby, B.C. Canada
>
> *** common/argus_auth.c.orig Wed Aug 11 12:45:25 2004
> --- common/argus_auth.c Wed Aug 11 12:46:11 2004
> ***************
> *** 80,86 ****
> --- 80,90 ----
>
> #include <ctype.h>
> #include <assert.h>
> + #if defined(__FreeBSD__)
> + #include "/usr/local/include/sasl1/sasl.h"
> + #else
> #include <sasl.h>
> + #endif
>
> #endif /* ARGUS_SASL */
>
> ***************
> *** 294,301 ****
> switch (id) {
> case SASL_CB_USER:
> if (ustr == NULL) {
> ! printf("please enter an authorization id: ");
> ! fgets(RaSimpleBuf, sizeof RaSimpleBuf, stdin);
>
> } else {
> if ((ptr = strchr(ustr, '/')) != NULL)
> --- 298,309 ----
> switch (id) {
> case SASL_CB_USER:
> if (ustr == NULL) {
> ! /* printf("please enter an authorization id: ");
> ! fgets(RaSimpleBuf, sizeof RaSimpleBuf, stdin); */
> !
> ! /* kludge in user id "argus" with a fixed password ... */
> ! strcpy(RaSimpleBuf,"argus");
> !
>
> } else {
> if ((ptr = strchr(ustr, '/')) != NULL)
> ***************
> *** 317,324 ****
> ptr++;
>
> if (ptr == NULL) {
> ! printf("please enter an authentication id: ");
> ! fgets(RaSimpleBuf, sizeof RaSimpleBuf, stdin);
> } else
> sprintf (RaSimpleBuf, "%s", ptr);
>
> --- 325,334 ----
> ptr++;
>
> if (ptr == NULL) {
> ! /* printf("please enter an authentication id: ");
> ! fgets(RaSimpleBuf, sizeof RaSimpleBuf, stdin); */
> !
> ! strcpy(RaSimpleBuf,"argus");
> } else
> sprintf (RaSimpleBuf, "%s", ptr);
>
> ***************
> *** 346,351 ****
> --- 356,364 ----
> char *
> getpassphrase(const char *prompt)
> {
> +
> + /* set a password here to avoid the prompts ... */
> + return ("passwrd");
> return getpass(prompt);
> }
> #endif /* ! HAVE_GETPASSPHRASE */
>
More information about the argus
mailing list