[ARGUS] sasl a solution (ugly, but a solution :-))

Peter Van Epp vanepp at sfu.ca
Thu Aug 12 20:48:05 EDT 2004 

	No, we need the one before it (or better a configure change) to find
and select where ports have hidden sasl.h, but the password stuff is already
there in the ra.conf file. This dif against fixes.1 (or the noted configure
change) is needed to use sasl from the ports collection. The tar ball appears
to use /usr/local/include/sasl.h, ports cyrus-sasl uses /usr/local/include/sasl1/sasl.h (this patch) and ports cryus-sasl2 uses /usr/local/include/sasl2/sasl.h.
Ideally, configure would find which (if any :-)) of these is present and set
appropriate conditional compile flags to select the correct one in the code.
Unfortunatly I don't know how to make configure do that.

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada


*** common/argus_auth.c.orig	Tue Aug 10 13:37:07 2004
--- common/argus_auth.c	Tue Aug 10 13:37:32 2004
***************
*** 79,85 ****
--- 79,89 ----
  
  #include <ctype.h>
  #include <assert.h>
+ #if defined(__FreeBSD__) 
+ #include "/usr/local/include/sasl1/sasl.h"     
+ #else
  #include <sasl.h>
+ #endif
  
  #endif /* ARGUS_SASL */
  



On Thu, Aug 12, 2004 at 07:58:28PM -0400, Carter Bullard wrote:
> Hey Peter,
>    So we do need the patch below?
> Carter
> 
> 
> > From: Peter Van Epp <vanepp at sfu.ca>
> > Date: Wed, 11 Aug 2004 13:06:31 -0700
> > To: <argus-info at lists.andrew.cmu.edu>
> > Subject: [ARGUS] sasl a solution (ugly, but a solution :-))
> > 
> > After much head scratching and searching documentation and the sasl
> > mailing list I finally realized the problem is their shared secret and what
> > I want for shared secret (an ssh like host key) aren't the same. The reason
> > I haven't been able to figure out how to do shared secret without a user on
> > the far end is because sasl isn't intended to do that (at least I think thats
> > the case). The solution is to hack the argus code to hard code user id
> > argus (twice, once as the authenticating user and once as the effective
> > user which is why there are two user prompts) and a hard coded password (which
> > all of which should move to a root owned file somewhere rather than being
> > hard coded). With this change ra can connect via sasl without user interaction
> > which is what I need for unattended operation.
> > You then need to use saslpasswd on the argus server to set user name
> > argus and the password that you hard coded in place of passwd in the code
> > below in to the sasl password db.
> > Now ra can connect to the server with no user interaction across the
> > secure link. If someone can read the password you probably have bigger
> > problems
> > than them being able to access your argus server, so while insecure, this is
> > probably OK (and moreover it does what I need to do right now which is
> > establish a restartable link between 2 of my machines across an untrusted
> > network :-)).
> > 
> > Peter Van Epp / Operations and Technical Support
> > Simon Fraser University, Burnaby, B.C. Canada
> > 
> > *** common/argus_auth.c.orig Wed Aug 11 12:45:25 2004
> > --- common/argus_auth.c Wed Aug 11 12:46:11 2004
> > ***************
> > *** 80,86 ****
> > --- 80,90 ----
> >   
> >   #include <ctype.h>
> >   #include <assert.h>
> > + #if defined(__FreeBSD__)
> > + #include "/usr/local/include/sasl1/sasl.h"
> > + #else
> >   #include <sasl.h>
> > + #endif
> >   
> >   #endif /* ARGUS_SASL */
> >   
> > ***************
> > *** 294,301 ****
> >      switch (id) {
> >         case SASL_CB_USER:
> >            if (ustr == NULL) {
> > !             printf("please enter an authorization id: ");
> > !             fgets(RaSimpleBuf, sizeof RaSimpleBuf, stdin);
> >   
> >            } else {
> >               if ((ptr = strchr(ustr, '/')) != NULL)
> > --- 298,309 ----
> >      switch (id) {
> >         case SASL_CB_USER:
> >            if (ustr == NULL) {
> > ! /*            printf("please enter an authorization id: ");
> > !             fgets(RaSimpleBuf, sizeof RaSimpleBuf, stdin); */
> > ! 
> > !  /* kludge in user id "argus" with a fixed password ... */
> > !      strcpy(RaSimpleBuf,"argus");
> > !      
> >   
> >            } else {
> >               if ((ptr = strchr(ustr, '/')) != NULL)
> > ***************
> > *** 317,324 ****
> >                  ptr++;
> >   
> >            if (ptr == NULL) {
> > !             printf("please enter an authentication id: ");
> > !             fgets(RaSimpleBuf, sizeof RaSimpleBuf, stdin);
> >            } else
> >               sprintf (RaSimpleBuf, "%s", ptr);
> >   
> > --- 325,334 ----
> >                  ptr++;
> >   
> >            if (ptr == NULL) {
> > ! /*            printf("please enter an authentication id: ");
> > !             fgets(RaSimpleBuf, sizeof RaSimpleBuf, stdin);    */
> > ! 
> > !      strcpy(RaSimpleBuf,"argus");
> >            } else
> >               sprintf (RaSimpleBuf, "%s", ptr);
> >   
> > ***************
> > *** 346,351 ****
> > --- 356,364 ----
> >   char *
> >   getpassphrase(const char *prompt)
> >   {
> > + 
> > +   /* set a password here to avoid the prompts ... */
> > +   return ("passwrd");
> >     return getpass(prompt);
> >   }
> >   #endif /* ! HAVE_GETPASSPHRASE */
> > 
>

More information about the argus mailing list