[ARGUS] sasl a solution (ugly, but a solution :-))

Peter Van Epp vanepp at sfu.ca
Thu Aug 12 22:19:48 EDT 2004 

	No. While that will keep configure happy, when the compiler runs against
the code it will break because the include in the code is

#include <sasl.h>

which doesn't exist and will therefore error rather than 

#include "/usr/local/include/sasl1/sasl.h"

in the case where the build is from ports/security/cyrus-sasl. Configure could
create a sim link from whereever it found the include to /usr/include or put
it in an include directory on the compile line in the makefile, but something 
more than just a configure change is needed I believe. Having configure do the
right thing without any prompting is of course the most desirable thing :-).

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada


On Thu, Aug 12, 2004 at 09:36:19PM -0400, Michael J. Slifcak wrote:
> Peter Van Epp wrote:
> >	No, we need the one before it (or better a configure change) to find
> >and select where ports have hidden sasl.h, but the password stuff is 
> >already
> >there in the ra.conf file. This dif against fixes.1 (or the noted configure
> >change) is needed to use sasl from the ports collection. The tar ball 
> >appears
> >to use /usr/local/include/sasl.h, ports cyrus-sasl uses 
> >/usr/local/include/sasl1/sasl.h (this patch) and ports cryus-sasl2 uses 
> >/usr/local/include/sasl2/sasl.h.
> >Ideally, configure would find which (if any :-)) of these is present and 
> >set
> >appropriate conditional compile flags to select the correct one in the 
> >code.
> >Unfortunatly I don't know how to make configure do that.
> 
> 
> I simply do not understand -- does this command not work using
> unchanged code ??
> 
>  ./configure --include-dir="/usr/local/include/sasl1" \
>     --with-sasl=/usr/local
> 
> If it does work, perhaps the change should be made to the
> documentation under "building on FreeBSD" and not the code.
> 
> -Mike Slifcak
> 
> 
> >
> >Peter Van Epp / Operations and Technical Support 
> >Simon Fraser University, Burnaby, B.C. Canada
> >
> >
> >*** common/argus_auth.c.orig	Tue Aug 10 13:37:07 2004
> >--- common/argus_auth.c	Tue Aug 10 13:37:32 2004
> >***************
> >*** 79,85 ****
> >--- 79,89 ----
> >  
> >  #include <ctype.h>
> >  #include <assert.h>
> >+ #if defined(__FreeBSD__) 
> >+ #include "/usr/local/include/sasl1/sasl.h"     
> >+ #else
> >  #include <sasl.h>
> >+ #endif
> >  
> >  #endif /* ARGUS_SASL */
> >  
> >
> >
> >
> >On Thu, Aug 12, 2004 at 07:58:28PM -0400, Carter Bullard wrote:
> >
> >>Hey Peter,
> >>  So we do need the patch below?
> >>Carter
> >>
> >>
> >>
> >>>From: Peter Van Epp <vanepp at sfu.ca>
> >>>Date: Wed, 11 Aug 2004 13:06:31 -0700
> >>>To: <argus-info at lists.andrew.cmu.edu>
> >>>Subject: [ARGUS] sasl a solution (ugly, but a solution :-))
> >>>
> >>>After much head scratching and searching documentation and the sasl
> >>>mailing list I finally realized the problem is their shared secret and 
> >>>what
> >>>I want for shared secret (an ssh like host key) aren't the same. The 
> >>>reason
> >>>I haven't been able to figure out how to do shared secret without a user 
> >>>on
> >>>the far end is because sasl isn't intended to do that (at least I think 
> >>>thats
> >>>the case). The solution is to hack the argus code to hard code user id
> >>>argus (twice, once as the authenticating user and once as the effective
> >>>user which is why there are two user prompts) and a hard coded password 
> >>>(which
> >>>all of which should move to a root owned file somewhere rather than being
> >>>hard coded). With this change ra can connect via sasl without user 
> >>>interaction
> >>>which is what I need for unattended operation.
> >>>You then need to use saslpasswd on the argus server to set user name
> >>>argus and the password that you hard coded in place of passwd in the code
> >>>below in to the sasl password db.
> >>>Now ra can connect to the server with no user interaction across the
> >>>secure link. If someone can read the password you probably have bigger
> >>>problems
> >>>than them being able to access your argus server, so while insecure, 
> >>>this is
> >>>probably OK (and moreover it does what I need to do right now which is
> >>>establish a restartable link between 2 of my machines across an untrusted
> >>>network :-)).
> >>>
> >>>Peter Van Epp / Operations and Technical Support
> >>>Simon Fraser University, Burnaby, B.C. Canada
> >>>
> >>>*** common/argus_auth.c.orig Wed Aug 11 12:45:25 2004
> >>>--- common/argus_auth.c Wed Aug 11 12:46:11 2004
> >>>***************
> >>>*** 80,86 ****
> >>>--- 80,90 ----
> >>> 
> >>> #include <ctype.h>
> >>> #include <assert.h>
> >>>+ #if defined(__FreeBSD__)
> >>>+ #include "/usr/local/include/sasl1/sasl.h"
> >>>+ #else
> >>> #include <sasl.h>
> >>>+ #endif
> >>> 
> >>> #endif /* ARGUS_SASL */
> >>> 
> >>>***************
> >>>*** 294,301 ****
> >>>    switch (id) {
> >>>       case SASL_CB_USER:
> >>>          if (ustr == NULL) {
> >>>!             printf("please enter an authorization id: ");
> >>>!             fgets(RaSimpleBuf, sizeof RaSimpleBuf, stdin);
> >>> 
> >>>          } else {
> >>>             if ((ptr = strchr(ustr, '/')) != NULL)
> >>>--- 298,309 ----
> >>>    switch (id) {
> >>>       case SASL_CB_USER:
> >>>          if (ustr == NULL) {
> >>>! /*            printf("please enter an authorization id: ");
> >>>!             fgets(RaSimpleBuf, sizeof RaSimpleBuf, stdin); */
> >>>! 
> >>>!  /* kludge in user id "argus" with a fixed password ... */
> >>>!      strcpy(RaSimpleBuf,"argus");
> >>>!      
> >>> 
> >>>          } else {
> >>>             if ((ptr = strchr(ustr, '/')) != NULL)
> >>>***************
> >>>*** 317,324 ****
> >>>                ptr++;
> >>> 
> >>>          if (ptr == NULL) {
> >>>!             printf("please enter an authentication id: ");
> >>>!             fgets(RaSimpleBuf, sizeof RaSimpleBuf, stdin);
> >>>          } else
> >>>             sprintf (RaSimpleBuf, "%s", ptr);
> >>> 
> >>>--- 325,334 ----
> >>>                ptr++;
> >>> 
> >>>          if (ptr == NULL) {
> >>>! /*            printf("please enter an authentication id: ");
> >>>!             fgets(RaSimpleBuf, sizeof RaSimpleBuf, stdin);    */
> >>>! 
> >>>!      strcpy(RaSimpleBuf,"argus");
> >>>          } else
> >>>             sprintf (RaSimpleBuf, "%s", ptr);
> >>> 
> >>>***************
> >>>*** 346,351 ****
> >>>--- 356,364 ----
> >>> char *
> >>> getpassphrase(const char *prompt)
> >>> {
> >>>+ 
> >>>+   /* set a password here to avoid the prompts ... */
> >>>+   return ("passwrd");
> >>>   return getpass(prompt);
> >>> }
> >>> #endif /* ! HAVE_GETPASSPHRASE */
> >>>
> >>
> >

More information about the argus mailing list