[ARGUS] sasl a solution (ugly, but a solution :-))

Michael J. Slifcak slif at bellsouth.net
Thu Aug 12 21:36:19 EDT 2004 

Peter Van Epp wrote:
> 	No, we need the one before it (or better a configure change) to find
> and select where ports have hidden sasl.h, but the password stuff is already
> there in the ra.conf file. This dif against fixes.1 (or the noted configure
> change) is needed to use sasl from the ports collection. The tar ball appears
> to use /usr/local/include/sasl.h, ports cyrus-sasl uses /usr/local/include/sasl1/sasl.h (this patch) and ports cryus-sasl2 uses /usr/local/include/sasl2/sasl.h.
> Ideally, configure would find which (if any :-)) of these is present and set
> appropriate conditional compile flags to select the correct one in the code.
> Unfortunatly I don't know how to make configure do that.


I simply do not understand -- does this command not work using
unchanged code ??

  ./configure --include-dir="/usr/local/include/sasl1" \
     --with-sasl=/usr/local

If it does work, perhaps the change should be made to the
documentation under "building on FreeBSD" and not the code.

-Mike Slifcak


> 
> Peter Van Epp / Operations and Technical Support 
> Simon Fraser University, Burnaby, B.C. Canada
> 
> 
> *** common/argus_auth.c.orig	Tue Aug 10 13:37:07 2004
> --- common/argus_auth.c	Tue Aug 10 13:37:32 2004
> ***************
> *** 79,85 ****
> --- 79,89 ----
>   
>   #include <ctype.h>
>   #include <assert.h>
> + #if defined(__FreeBSD__) 
> + #include "/usr/local/include/sasl1/sasl.h"     
> + #else
>   #include <sasl.h>
> + #endif
>   
>   #endif /* ARGUS_SASL */
>   
> 
> 
> 
> On Thu, Aug 12, 2004 at 07:58:28PM -0400, Carter Bullard wrote:
> 
>>Hey Peter,
>>   So we do need the patch below?
>>Carter
>>
>>
>>
>>>From: Peter Van Epp <vanepp at sfu.ca>
>>>Date: Wed, 11 Aug 2004 13:06:31 -0700
>>>To: <argus-info at lists.andrew.cmu.edu>
>>>Subject: [ARGUS] sasl a solution (ugly, but a solution :-))
>>>
>>>After much head scratching and searching documentation and the sasl
>>>mailing list I finally realized the problem is their shared secret and what
>>>I want for shared secret (an ssh like host key) aren't the same. The reason
>>>I haven't been able to figure out how to do shared secret without a user on
>>>the far end is because sasl isn't intended to do that (at least I think thats
>>>the case). The solution is to hack the argus code to hard code user id
>>>argus (twice, once as the authenticating user and once as the effective
>>>user which is why there are two user prompts) and a hard coded password (which
>>>all of which should move to a root owned file somewhere rather than being
>>>hard coded). With this change ra can connect via sasl without user interaction
>>>which is what I need for unattended operation.
>>>You then need to use saslpasswd on the argus server to set user name
>>>argus and the password that you hard coded in place of passwd in the code
>>>below in to the sasl password db.
>>>Now ra can connect to the server with no user interaction across the
>>>secure link. If someone can read the password you probably have bigger
>>>problems
>>>than them being able to access your argus server, so while insecure, this is
>>>probably OK (and moreover it does what I need to do right now which is
>>>establish a restartable link between 2 of my machines across an untrusted
>>>network :-)).
>>>
>>>Peter Van Epp / Operations and Technical Support
>>>Simon Fraser University, Burnaby, B.C. Canada
>>>
>>>*** common/argus_auth.c.orig Wed Aug 11 12:45:25 2004
>>>--- common/argus_auth.c Wed Aug 11 12:46:11 2004
>>>***************
>>>*** 80,86 ****
>>>--- 80,90 ----
>>>  
>>>  #include <ctype.h>
>>>  #include <assert.h>
>>>+ #if defined(__FreeBSD__)
>>>+ #include "/usr/local/include/sasl1/sasl.h"
>>>+ #else
>>>  #include <sasl.h>
>>>+ #endif
>>>  
>>>  #endif /* ARGUS_SASL */
>>>  
>>>***************
>>>*** 294,301 ****
>>>     switch (id) {
>>>        case SASL_CB_USER:
>>>           if (ustr == NULL) {
>>>!             printf("please enter an authorization id: ");
>>>!             fgets(RaSimpleBuf, sizeof RaSimpleBuf, stdin);
>>>  
>>>           } else {
>>>              if ((ptr = strchr(ustr, '/')) != NULL)
>>>--- 298,309 ----
>>>     switch (id) {
>>>        case SASL_CB_USER:
>>>           if (ustr == NULL) {
>>>! /*            printf("please enter an authorization id: ");
>>>!             fgets(RaSimpleBuf, sizeof RaSimpleBuf, stdin); */
>>>! 
>>>!  /* kludge in user id "argus" with a fixed password ... */
>>>!      strcpy(RaSimpleBuf,"argus");
>>>!      
>>>  
>>>           } else {
>>>              if ((ptr = strchr(ustr, '/')) != NULL)
>>>***************
>>>*** 317,324 ****
>>>                 ptr++;
>>>  
>>>           if (ptr == NULL) {
>>>!             printf("please enter an authentication id: ");
>>>!             fgets(RaSimpleBuf, sizeof RaSimpleBuf, stdin);
>>>           } else
>>>              sprintf (RaSimpleBuf, "%s", ptr);
>>>  
>>>--- 325,334 ----
>>>                 ptr++;
>>>  
>>>           if (ptr == NULL) {
>>>! /*            printf("please enter an authentication id: ");
>>>!             fgets(RaSimpleBuf, sizeof RaSimpleBuf, stdin);    */
>>>! 
>>>!      strcpy(RaSimpleBuf,"argus");
>>>           } else
>>>              sprintf (RaSimpleBuf, "%s", ptr);
>>>  
>>>***************
>>>*** 346,351 ****
>>>--- 356,364 ----
>>>  char *
>>>  getpassphrase(const char *prompt)
>>>  {
>>>+ 
>>>+   /* set a password here to avoid the prompts ... */
>>>+   return ("passwrd");
>>>    return getpass(prompt);
>>>  }
>>>  #endif /* ! HAVE_GETPASSPHRASE */
>>>
>>
>

More information about the argus mailing list