SASL with argus

Carter Bullard carter at qosient.com
Tue Jul 16 17:31:48 EDT 2013


What are the values for RA_MIN_SSF and RA_MAX_SSF in your .rarc file?
Possible if you set those to something other than zero, and you may 
be able to negotiate a mech.

Carter



On Jul 16, 2013, at 1:06 PM, Jesse Bowling <jessebowling at gmail.com> wrote:

> As a followup, I changed my argus.conf to look like:
> 
> pwcheck_method: auxprop
> mech_list: DIGEST-MD5
> auxprop_plugin: sasldb
> 
> and tried the sample client/server programs like this:
> 
> # sasl2-sample-server -s argus -m digest-md5
> $ sasl2-sample-client -s argus -m digest-md5 localhost
> 
> ...provide the authentication/authorization id as before, then the password, and receive a successful authentication.
> 
> However I get the same error with ra client programs when attempting to connect...What am I missing here?
> 
> Cheers,
> 
> Jesse
> 
> 
> 
> 
> On Tue, Jul 16, 2013 at 10:42 AM, Jesse Bowling <jessebowling at gmail.com> wrote:
> Hi all,
> 
> I'm a SASL noob, and having a hard time getting it configured to work with argus. I've tried setting it up and am getting the following error message:
> 
> rasplit[15301.00c7bc34f77f0000]: 10:27:31.072229 RaSaslNegotiate(0x3, 0x3, 0x27c6d90) receiving capability list... 
> rasplit[15301.00c7bc34f77f0000]: 10:27:31.072251 RaGetSaslString(0x3, 0x99773830, 8184) {}
> rasplit[15301.00c7bc34f77f0000]: 10:27:31.072259 RaSaslNegotiate(0x3, 0x3, 0x27c6d90) calling sasl_client_start()
> rasplit[15301.00c7bc34f77f0000]: 10:27:31.072646 RaSendSaslString(3, 0x0, 0) (null)
> rasplit[15301]: 10:27:31.072663 RaSaslNegotiate: error starting SASL negotiation SASL(-4): no mechanism available: No worthy mechs found
> 
> 
> I have the following setup bits, and may of course be missing something simple here:
> 
> /etc/argus.conf:
> 
> ARGUS_MIN_SSF=40
> ARGUS_MAX_SSF=128
> 
> /etc/ra.conf
> 
> RA_USER_AUTH="raclient/raclient"
> RA_AUTH_PASS="Passwd I set with saslpasswd2 -c -a argus raclient"
> 
> /etc/sasl2/argus.conf:
> 
> pwcheck_method: auxprop
> auxprop_plugin: sasldb
> mech_list: DIGESTMD5 PLAIN LOGIN CRAMMD5 
> 
> # sasldblistusers2: 
> raclient at host.realm.tld: userPassword
> 
> Pluginviewer output:
> 
> Installed SASL (server side) mechanisms are:
> CRAM-MD5 DIGEST-MD5 PLAIN ANONYMOUS LOGIN EXTERNAL
> List of server plugins follows
> Plugin "crammd5" [loaded],      API version: 4
>         SASL mechanism: CRAM-MD5, best SSF: 0, supports setpass: no
>         security flags: NO_ANONYMOUS|NO_PLAINTEXT
>         features: SERVER_FIRST
> Plugin "digestmd5" [loaded],    API version: 4
>         SASL mechanism: DIGEST-MD5, best SSF: 128, supports setpass: no
>         security flags: NO_ANONYMOUS|NO_PLAINTEXT|MUTUAL_AUTH
>         features: PROXY_AUTHENTICATION
> Plugin "plain" [loaded],        API version: 4
>         SASL mechanism: PLAIN, best SSF: 0, supports setpass: no
>         security flags: NO_ANONYMOUS
>         features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
> Plugin "anonymous" [loaded],    API version: 4
>         SASL mechanism: ANONYMOUS, best SSF: 0, supports setpass: no
>         security flags: NO_PLAINTEXT
>         features: WANT_CLIENT_FIRST
> Plugin "login" [loaded],        API version: 4
>         SASL mechanism: LOGIN, best SSF: 0, supports setpass: no
>         security flags: NO_ANONYMOUS
>         features:
> Installed auxprop mechanisms are:
> sasldb
> List of auxprop plugins follows
> Plugin "sasldb" ,       API version: 4
>         supports store: yes
> 
> Installed SASL (client side) mechanisms are:
> CRAM-MD5 DIGEST-MD5 PLAIN ANONYMOUS LOGIN EXTERNAL
> List of client plugins follows
> Plugin "crammd5" [loaded],      API version: 4
>         SASL mechanism: CRAM-MD5, best SSF: 0
>         security flags: NO_ANONYMOUS|NO_PLAINTEXT
>         features: SERVER_FIRST
> Plugin "digestmd5" [loaded],    API version: 4
>         SASL mechanism: DIGEST-MD5, best SSF: 128
>         security flags: NO_ANONYMOUS|NO_PLAINTEXT|MUTUAL_AUTH
>         features: PROXY_AUTHENTICATION|NEED_SERVER_FQDN
> Plugin "plain" [loaded],        API version: 4
>         SASL mechanism: PLAIN, best SSF: 0
>         security flags: NO_ANONYMOUS
>         features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
> Plugin "anonymous" [loaded],    API version: 4
>         SASL mechanism: ANONYMOUS, best SSF: 0
>         security flags: NO_PLAINTEXT
>         features: WANT_CLIENT_FIRST
> Plugin "login" [loaded],        API version: 4
>         SASL mechanism: LOGIN, best SSF: 0
>         security flags: NO_ANONYMOUS
>         features: SERVER_FIRST
> Plugin "EXTERNAL" [loaded],     API version: 4
>         SASL mechanism: EXTERNAL, best SSF: 0
>         security flags: NO_ANONYMOUS|NO_PLAINTEXT|NO_DICTIONARY
>         features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
> 
> Anyone set this up successfully for digest-md5?
> 
> Thanks,
> 
> Jesse
> 
> -- 
> Jesse Bowling
> 
> 
> 
> 
> -- 
> Jesse Bowling
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130716/00346fbc/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6837 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130716/00346fbc/attachment.bin>


More information about the argus mailing list