argus + sasl: does this works?

Carter Bullard carter at qosient.com
Tue Nov 10 13:57:12 EST 2009 

Hey Peter,
Try this fix to your configure.in file.  This moves the call to CMU_SASL2(V_INCLS)
above the assignment of $LIBS=...... at line 241,242.  After making the change, you 
will need to run autoconf() to generate a new ./configure file.

   % modify ./configure.in however you like (patch, vi, emacs, whatever)
   % autoconf
   % ./configure --with-sasl=yes; make clean; make

----include patch----
==== //depot/argus/argus/configure.in#28 - /home/carter/argus/argus/configure.in ====
240a241,242
> CMU_SASL2(V_INCLS)
> 
312d313
< CMU_SASL2(V_INCLS)
----end patch----

That should help to get your argus compiled.  I believe that you said your clients
compile correctly?

With regard to ratop(), it is definitely broken.  My apologies,.  The sasl authentication
causes ratop() to present a "Username:" and "Passwd:" prompt, but curses has taken
over the screen, and so you don't see the prompts or dialog, and curses won't stuff
the input into the right place.

I think it happened when I was cleaning something up.  I'll fix that now/today.
A lot of sites use radium() with SASL to collect flows of interest, and use ratop() to
connect to the local radium() to see the flows they are interested in.  That tends to
minimize the number of client->server associations, so most don't use SASL with
programs like ratop().   Thanks for the bug report!!!!!!

I did find a bug in the SASL on Snow Leopard.  Seems that the PPS mech gives
a segmentation fault, or at least argus() dies in the PPS mech when calling sasl_decode().
The PPS mech seems to provide SASL access to existing accounts/passwords, so its
the primary one to use.  I'll have to investigate that when I get some time.

Sorry for any inconvenience,

Carter

On Nov 10, 2009, at 4:12 AM, Peter Volkov wrote:

> В Сбт, 07/11/2009 в 10:51 -0500, Carter Bullard пишет:
>> Because there is no "-lsasl2" in your gcc link statement,  I can with  
>> confidence know that your ./configure isn't working correctly.  If you add "- 
>> lsasl2" to COMPATLIB in your ./argus/Makefile (as a test) then all should work  
>> well?
> 
> Yes, it works.
> 
>> What does your config.log indicate about the tests for sasl?
> 
> They succeed:
> checking sasl/sasl.h usability... yes
> checking sasl/sasl.h presence... yes
> checking for sasl/sasl.h... yes
> checking sasl/saslutil.h usability... yes
> checking sasl/saslutil.h presence... yes
> checking for sasl/saslutil.h... yes
> 
> config.log in attachment.
> 
>> Do you have sasl2 installed or the older sasl?
> 
> I have dev-libs/cyrus-sasl-2.1.23-r1.
> 
>> We shouldn't have to modify the code itself to solve this problem.
> 
> Ok, then any suggestion? Reading code I don't see how this could work
> without suggested changes.
> 
> $=> grep COMPATLIB * -r
> argus/Makefile.in:COMPATLIB = @COMPATLIB@
> argus/Makefile.in:LIB = @LIBS@ $(WRAPLIBS) $(COMPATLIB) ../lib/argus_common.a -lm
> configure.in:      *) COMPATLIB="$COMPATLIB $V_THREADS"
> configure.in:   COMPATLIB="$COMPATLIB -lodm -lcfg"
> configure.in:   COMPATLIB="$COMPATLIB -lsocket -lnsl -lrt"
> configure.in:AC_SUBST(COMPATLIB)
> 
> No sign that -lsasl2 could be in COMPATLIB ^^
> 
>> Your ratop() isn't working probably because you don't have ncurses  
>> installed?
> 
> I have 5.6-r2 version installed:
> 
> checking ncurses.h usability... yes
> checking ncurses.h presence... yes
> checking for ncurses.h... yes
> checking for initscr in -lncurses... yes
> 
> And ratop works in case I rebuild both argus and argus-client without
> sasl.
> 
> With best regards,
> --
> Peter.
> 
>> On Nov 7, 2009, at 9:54 AM, Peter Volkov wrote:
>> 
>>> В Срд, 28/10/2009 в 10:22 -0400, Carter Bullard пишет:
>>>> Sasl support is turned on through ./configure, so we don't need (or  
>>>> at
>>>> least we shouldn't need)  the SASLLIB compile switch.  My configure  
>>>> finds
>>>> sasl2 and adds "-lsasl2" to @COMPATLIB@, and turns on "ARGUS_SASL=1".
>>> 
>>>> ./configure --with-sasl=yes
>>> 
>>> Yup, configure finds sasl, but later argus fails to build with:
>>> 
>>> gcc -O3 -I.  -I./../include  -DPACKAGE_NAME=\"\" -DPACKAGE_TARNAME= 
>>> \"\" -DPACKAGE_VERSION=\"\" -DPACKAGE_STRING=\"\" - 
>>> DPACKAGE_BUGREPORT=\"\" -DSTDC_HEADERS=1 -DHAVE_SYS_TYPES_H=1 - 
>>> DHAVE_SYS_STAT_H=1 -DHAVE_STDLIB_H=1 -DHAVE_STRING_H=1 - 
>>> DHAVE_MEMORY_H=1 -DHAVE_STRINGS_H=1 -DHAVE_INTTYPES_H=1 - 
>>> DHAVE_STDINT_H=1 -DHAVE_UNISTD_H=1 -DHAVE_STRING_H=1 - 
>>> DHAVE_FCNTL_H=1 -DHAVE_SYS_FILE_H=1 -DHAVE_SYSLOG_H=1 - 
>>> DHAVE_SYS_VFS_H=1 -DHAVE_VFPRINTF=1 -DHAVE_STRCASECMP=1 - 
>>> DHAVE_STRDUP=1 -DHAVE_STRFTIME=1 -DHAVE_SETLINEBUF=1 -DHAVE_ALARM=1 - 
>>> DHAVE_STRERROR=1 -DHAVE_STRTOF=1 -DHAVE_SYS_BITYPES_H=1 - 
>>> DHAVE_INTTYPES_H=1 -DHAVE_VSNPRINTF=1 -DHAVE_SNPRINTF=1 - 
>>> DHAVE_GETADDRINFO=1 -DHAVE_ETHER_HOSTTON=1 -DHAVE_NETINET_ETHER_H=1 - 
>>> DNETINET_ETHER_H_DECLARES_ETHER_HOSTTON=/\*\*/ - 
>>> DHAVE_DECL_ETHER_HOSTTON=1 -DHAVE_PCAP_LIST_DATALINKS=1 - 
>>> DHAVE_PCAP_SET_DATALINK=1 -DHAVE_PCAP_DATALINK_NAME_TO_VAL=1 - 
>>> DHAVE_PCAP_DATALINK_VAL_TO_DESCRIPTION=1 - 
>>> DHAVE_PCAP_GET_SELECTABLE_FD=1 -DHAVE_PCAP_NEXT_EX=1 - 
>>> DHAVE_PCAP_DUMP_FTELL=1 -DHAVE_TCP_WRAPPER=1 -DARGUS_SASL=1 - 
>>> DSTDC_HEADERS=1 -DARGUS_SYSLOG=1 -o ../bin/argus argus.o  
>>> ArgusModeler.o ArgusSource.o ArgusUtil.o ArgusOutput.o ArgusUdp.o  
>>> ArgusTcp.o ArgusIcmp.o ArgusIgmp.o ArgusEsp.o ArgusArp.o ArgusFrag.o  
>>> ArgusAuth.o ArgusApp.o  -lpcap -lwrap -lnsl  ../lib/argus_common.a -lm
>>> ArgusUtil.o: In function `ArgusWriteOutSocket':
>>> ArgusUtil.c:(.text+0x23c5): undefined reference to `sasl_encode'
>>> [snipped other undefined references]
>>> 
>>> so patch I've sent is required to make argus build here.
>>> 
>>> 
>>>> Try the "./configure --with-sasl=yes" on both argus and the clients,
>>>> and see if that doesn't make it?
>>> 
>>> Of course I've both client and server are built with sasl support.
>>> 
>>>> Be sure and run with the ra() clients with "-D2", which should show
>>>> all the sasl debug messages.
>>> 
>>> Thank you for this tip. It helped a lot.
>>> 
>>>> Possibly you don't have an appropriate MECH?
>>> 
>>> Yup. looks like that. I've managed to get argus working with auxprop
>>> plugin (had to rebuild cyrus-sasl with some database support and  
>>> create
>>> login/password database.
>>> 
>>> But still I failed to manage to configure argus to work with  
>>> saslauthd.
>>> For some reason /etc/sasl2/argus.conf configuration file is ignored.
>>> Here is it's contents:
>>> 
>>> tablet bin # cat /etc/sasl2/argus.conf
>>> pwcheck_method: saslauthd
>>> saslauthd_path: /var/lib/sasl2/mux
>>> log_level: 5
>>> 
>>> I've checked twice that on my system sasl2 App.conf should be
>>> in /etc/sasl2, `strace -eopen argus` shows:
>>> 
>>> open("/etc/sasl2/argus.conf", O_RDONLY) = 5
>>> 
>>> so yes this file is opened, but for unknown reason argus still tries  
>>> to
>>> use auxprop plugin. Although this is a problem we can live with it.
>>> 
>>> But the next failure I have: ratop does not connects without -M  
>>> nocurses. If I ran:
>>> 
>>> ratop -D2 -S 127.0.0.1:509
>>> 
>>> I see 'Username:' request, but I'm unable to enter neither username  
>>> nor
>>> password. Are there any tricks around this problem?
>>> 
>>> 
>>> And last, please, apply patch in attachment to avoid garbage in
>>> debugging output.
>>> 
>>> -- 
>>> Peter.
>>> 
>>> <argus-ArgusOutput.c.patch>
>> 
> 
> 
> -- 
> Peter.
> <config.log.gz>

Carter Bullard
CEO/President
QoSient, LLC
150 E 57th Street Suite 12D
New York, New York  10022

+1 212 588-9133 Phone
+1 212 588-9134 Fax



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20091110/28f23831/attachment.bin>

More information about the argus mailing list