[ARGUS] sasl a solution (ugly, but a solution :-))

Carter Bullard carter at qosient.com
Fri Aug 13 10:43:38 EDT 2004 

So, even official cyrus sasl clients, like imap or sendmail don't
have a "find sasl.h" m4 macro, so, ....,  it will take a bit of
crafting to fix this one in configure.in and aclocal.m4.  I'll
add the patch below for now.

Carter




> From: Peter Van Epp <vanepp at sfu.ca>
> Date: Thu, 12 Aug 2004 19:19:48 -0700
> To: <argus-info at lists.andrew.cmu.edu>
> Subject: Re: [ARGUS] sasl a solution (ugly, but a solution :-))
> 
> No. While that will keep configure happy, when the compiler runs against
> the code it will break because the include in the code is
> 
> #include <sasl.h>
> 
> which doesn't exist and will therefore error rather than
> 
> #include "/usr/local/include/sasl1/sasl.h"
> 
> in the case where the build is from ports/security/cyrus-sasl. Configure could
> create a sim link from whereever it found the include to /usr/include or put
> it in an include directory on the compile line in the makefile, but something
> more than just a configure change is needed I believe. Having configure do the
> right thing without any prompting is of course the most desirable thing :-).
> 
> Peter Van Epp / Operations and Technical Support
> Simon Fraser University, Burnaby, B.C. Canada
> 
> 
> On Thu, Aug 12, 2004 at 09:36:19PM -0400, Michael J. Slifcak wrote:
>> Peter Van Epp wrote:
>>> No, we need the one before it (or better a configure change) to find
>>> and select where ports have hidden sasl.h, but the password stuff is
>>> already
>>> there in the ra.conf file. This dif against fixes.1 (or the noted configure
>>> change) is needed to use sasl from the ports collection. The tar ball
>>> appears
>>> to use /usr/local/include/sasl.h, ports cyrus-sasl uses
>>> /usr/local/include/sasl1/sasl.h (this patch) and ports cryus-sasl2 uses
>>> /usr/local/include/sasl2/sasl.h.
>>> Ideally, configure would find which (if any :-)) of these is present and
>>> set
>>> appropriate conditional compile flags to select the correct one in the
>>> code.
>>> Unfortunatly I don't know how to make configure do that.
>> 
>> 
>> I simply do not understand -- does this command not work using
>> unchanged code ??
>> 
>>  ./configure --include-dir="/usr/local/include/sasl1" \
>>     --with-sasl=/usr/local
>> 
>> If it does work, perhaps the change should be made to the
>> documentation under "building on FreeBSD" and not the code.
>> 
>> -Mike Slifcak
>> 
>> 
>>> 
>>> Peter Van Epp / Operations and Technical Support
>>> Simon Fraser University, Burnaby, B.C. Canada
>>> 
>>> 
>>> *** common/argus_auth.c.orig Tue Aug 10 13:37:07 2004
>>> --- common/argus_auth.c Tue Aug 10 13:37:32 2004
>>> ***************
>>> *** 79,85 ****
>>> --- 79,89 ----
>>>  
>>>  #include <ctype.h>
>>>  #include <assert.h>
>>> + #if defined(__FreeBSD__)
>>> + #include "/usr/local/include/sasl1/sasl.h"
>>> + #else
>>>  #include <sasl.h>
>>> + #endif
>>>  
>>>  #endif /* ARGUS_SASL */
>>>  
>>> 
>>> 
>>> 
>>> On Thu, Aug 12, 2004 at 07:58:28PM -0400, Carter Bullard wrote:
>>> 
>>>> Hey Peter,
>>>>  So we do need the patch below?
>>>> Carter
>>>> 
>>>> 
>>>> 
>>>>> From: Peter Van Epp <vanepp at sfu.ca>
>>>>> Date: Wed, 11 Aug 2004 13:06:31 -0700
>>>>> To: <argus-info at lists.andrew.cmu.edu>
>>>>> Subject: [ARGUS] sasl a solution (ugly, but a solution :-))
>>>>> 
>>>>> After much head scratching and searching documentation and the sasl
>>>>> mailing list I finally realized the problem is their shared secret and
>>>>> what
>>>>> I want for shared secret (an ssh like host key) aren't the same. The
>>>>> reason
>>>>> I haven't been able to figure out how to do shared secret without a user
>>>>> on
>>>>> the far end is because sasl isn't intended to do that (at least I think
>>>>> thats
>>>>> the case). The solution is to hack the argus code to hard code user id
>>>>> argus (twice, once as the authenticating user and once as the effective
>>>>> user which is why there are two user prompts) and a hard coded password
>>>>> (which
>>>>> all of which should move to a root owned file somewhere rather than being
>>>>> hard coded). With this change ra can connect via sasl without user
>>>>> interaction
>>>>> which is what I need for unattended operation.
>>>>> You then need to use saslpasswd on the argus server to set user name
>>>>> argus and the password that you hard coded in place of passwd in the code
>>>>> below in to the sasl password db.
>>>>> Now ra can connect to the server with no user interaction across the
>>>>> secure link. If someone can read the password you probably have bigger
>>>>> problems
>>>>> than them being able to access your argus server, so while insecure,
>>>>> this is
>>>>> probably OK (and moreover it does what I need to do right now which is
>>>>> establish a restartable link between 2 of my machines across an untrusted
>>>>> network :-)).
>>>>> 
>>>>> Peter Van Epp / Operations and Technical Support
>>>>> Simon Fraser University, Burnaby, B.C. Canada
>>>>> 
>>>>> *** common/argus_auth.c.orig Wed Aug 11 12:45:25 2004
>>>>> --- common/argus_auth.c Wed Aug 11 12:46:11 2004
>>>>> ***************
>>>>> *** 80,86 ****
>>>>> --- 80,90 ----
>>>>> 
>>>>> #include <ctype.h>
>>>>> #include <assert.h>
>>>>> + #if defined(__FreeBSD__)
>>>>> + #include "/usr/local/include/sasl1/sasl.h"
>>>>> + #else
>>>>> #include <sasl.h>
>>>>> + #endif
>>>>> 
>>>>> #endif /* ARGUS_SASL */
>>>>> 
>>>>> ***************
>>>>> *** 294,301 ****
>>>>>    switch (id) {
>>>>>       case SASL_CB_USER:
>>>>>          if (ustr == NULL) {
>>>>> !             printf("please enter an authorization id: ");
>>>>> !             fgets(RaSimpleBuf, sizeof RaSimpleBuf, stdin);
>>>>> 
>>>>>          } else {
>>>>>             if ((ptr = strchr(ustr, '/')) != NULL)
>>>>> --- 298,309 ----
>>>>>    switch (id) {
>>>>>       case SASL_CB_USER:
>>>>>          if (ustr == NULL) {
>>>>> ! /*            printf("please enter an authorization id: ");
>>>>> !             fgets(RaSimpleBuf, sizeof RaSimpleBuf, stdin); */
>>>>> ! 
>>>>> !  /* kludge in user id "argus" with a fixed password ... */
>>>>> !      strcpy(RaSimpleBuf,"argus");
>>>>> !      
>>>>> 
>>>>>          } else {
>>>>>             if ((ptr = strchr(ustr, '/')) != NULL)
>>>>> ***************
>>>>> *** 317,324 ****
>>>>>                ptr++;
>>>>> 
>>>>>          if (ptr == NULL) {
>>>>> !             printf("please enter an authentication id: ");
>>>>> !             fgets(RaSimpleBuf, sizeof RaSimpleBuf, stdin);
>>>>>          } else
>>>>>             sprintf (RaSimpleBuf, "%s", ptr);
>>>>> 
>>>>> --- 325,334 ----
>>>>>                ptr++;
>>>>> 
>>>>>          if (ptr == NULL) {
>>>>> ! /*            printf("please enter an authentication id: ");
>>>>> !             fgets(RaSimpleBuf, sizeof RaSimpleBuf, stdin);    */
>>>>> ! 
>>>>> !      strcpy(RaSimpleBuf,"argus");
>>>>>          } else
>>>>>             sprintf (RaSimpleBuf, "%s", ptr);
>>>>> 
>>>>> ***************
>>>>> *** 346,351 ****
>>>>> --- 356,364 ----
>>>>> char *
>>>>> getpassphrase(const char *prompt)
>>>>> {
>>>>> + 
>>>>> +   /* set a password here to avoid the prompts ... */
>>>>> +   return ("passwrd");
>>>>>   return getpass(prompt);
>>>>> }
>>>>> #endif /* ! HAVE_GETPASSPHRASE */
>>>>> 
>>>> 
>>> 
>

More information about the argus mailing list