SASL with argus
Jesse Bowling
jessebowling at gmail.com
Tue Jul 16 22:10:09 EDT 2013
Tried this to ensure I was hitting /etc/ra.conf, and set RA_MIN_SSF=40 and
RA_MAX_SSF=128
/usr/local/bin/ra -S localhost -F /etc/ra.conf -D 10
<snip>
ra[8822.006799f7ff7f0000]: 22:07:30.984553 RaSaslNegotiate(0x7, 0x7,
0xc35af0) receiving capability list...
ra[8822.006799f7ff7f0000]: 22:07:30.984583 RaGetSaslString(0x7, 0xfffbc270,
8184) {}
ra[8822.006799f7ff7f0000]: 22:07:30.984596 RaSaslNegotiate(0x7, 0x7,
0xc35af0) calling sasl_client_start()
ra[8822.006799f7ff7f0000]: 22:07:30.984864 RaSendSaslString(7, 0x0, 0)
(null)
ra[8822]: 22:07:30.984888 RaSaslNegotiate: error starting SASL negotiation
SASL(-4): no mechanism available: No worthy mechs found
ra[8822.006799f7ff7f0000]: 22:07:30.984966 ArgusShutDown (-1)
</snip>
/etc/sasl2/argus.conf:
pwcheck_method: auxprop
mech_list: PLAIN LOGIN NTLM CRAM-MD5 DIGEST-MD5
auxprop_plugin: sasldb
Cheers,
Jesse
On Tue, Jul 16, 2013 at 5:31 PM, Carter Bullard <carter at qosient.com> wrote:
> What are the values for RA_MIN_SSF and RA_MAX_SSF in your .rarc file?
> Possible if you set those to something other than zero, and you may
> be able to negotiate a mech.
>
> Carter
>
>
>
> On Jul 16, 2013, at 1:06 PM, Jesse Bowling <jessebowling at gmail.com> wrote:
>
> As a followup, I changed my argus.conf to look like:
>
> pwcheck_method: auxprop
> mech_list: DIGEST-MD5
> auxprop_plugin: sasldb
>
> and tried the sample client/server programs like this:
>
> # sasl2-sample-server -s argus -m digest-md5
> $ sasl2-sample-client -s argus -m digest-md5 localhost
>
> ...provide the authentication/authorization id as before, then the
> password, and receive a successful authentication.
>
> However I get the same error with ra client programs when attempting to
> connect...What am I missing here?
>
> Cheers,
>
> Jesse
>
>
>
>
> On Tue, Jul 16, 2013 at 10:42 AM, Jesse Bowling <jessebowling at gmail.com>wrote:
>
>> Hi all,
>>
>> I'm a SASL noob, and having a hard time getting it configured to work
>> with argus. I've tried setting it up and am getting the following error
>> message:
>>
>> rasplit[15301.00c7bc34f77f0000]: 10:27:31.072229 RaSaslNegotiate(0x3,
>> 0x3, 0x27c6d90) receiving capability list...
>> rasplit[15301.00c7bc34f77f0000]: 10:27:31.072251 RaGetSaslString(0x3,
>> 0x99773830, 8184) {}
>> rasplit[15301.00c7bc34f77f0000]: 10:27:31.072259 RaSaslNegotiate(0x3,
>> 0x3, 0x27c6d90) calling sasl_client_start()
>> rasplit[15301.00c7bc34f77f0000]: 10:27:31.072646 RaSendSaslString(3, 0x0,
>> 0) (null)
>> rasplit[15301]: 10:27:31.072663 RaSaslNegotiate: error starting SASL
>> negotiation SASL(-4): no mechanism available: No worthy mechs found
>>
>>
>> I have the following setup bits, and may of course be missing something
>> simple here:
>>
>> /etc/argus.conf:
>>
>> ARGUS_MIN_SSF=40
>> ARGUS_MAX_SSF=128
>>
>> /etc/ra.conf
>>
>> RA_USER_AUTH="raclient/raclient"
>> RA_AUTH_PASS="Passwd I set with saslpasswd2 -c -a argus raclient"
>>
>> /etc/sasl2/argus.conf:
>>
>> pwcheck_method: auxprop
>> auxprop_plugin: sasldb
>> mech_list: DIGESTMD5 PLAIN LOGIN CRAMMD5
>>
>> # sasldblistusers2:
>> raclient at host.realm.tld: userPassword
>>
>> Pluginviewer output:
>>
>> Installed SASL (server side) mechanisms are:
>> CRAM-MD5 DIGEST-MD5 PLAIN ANONYMOUS LOGIN EXTERNAL
>> List of server plugins follows
>> Plugin "crammd5" [loaded], API version: 4
>> SASL mechanism: CRAM-MD5, best SSF: 0, supports setpass: no
>> security flags: NO_ANONYMOUS|NO_PLAINTEXT
>> features: SERVER_FIRST
>> Plugin "digestmd5" [loaded], API version: 4
>> SASL mechanism: DIGEST-MD5, best SSF: 128, supports setpass: no
>> security flags: NO_ANONYMOUS|NO_PLAINTEXT|MUTUAL_AUTH
>> features: PROXY_AUTHENTICATION
>> Plugin "plain" [loaded], API version: 4
>> SASL mechanism: PLAIN, best SSF: 0, supports setpass: no
>> security flags: NO_ANONYMOUS
>> features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
>> Plugin "anonymous" [loaded], API version: 4
>> SASL mechanism: ANONYMOUS, best SSF: 0, supports setpass: no
>> security flags: NO_PLAINTEXT
>> features: WANT_CLIENT_FIRST
>> Plugin "login" [loaded], API version: 4
>> SASL mechanism: LOGIN, best SSF: 0, supports setpass: no
>> security flags: NO_ANONYMOUS
>> features:
>> Installed auxprop mechanisms are:
>> sasldb
>> List of auxprop plugins follows
>> Plugin "sasldb" , API version: 4
>> supports store: yes
>>
>> Installed SASL (client side) mechanisms are:
>> CRAM-MD5 DIGEST-MD5 PLAIN ANONYMOUS LOGIN EXTERNAL
>> List of client plugins follows
>> Plugin "crammd5" [loaded], API version: 4
>> SASL mechanism: CRAM-MD5, best SSF: 0
>> security flags: NO_ANONYMOUS|NO_PLAINTEXT
>> features: SERVER_FIRST
>> Plugin "digestmd5" [loaded], API version: 4
>> SASL mechanism: DIGEST-MD5, best SSF: 128
>> security flags: NO_ANONYMOUS|NO_PLAINTEXT|MUTUAL_AUTH
>> features: PROXY_AUTHENTICATION|NEED_SERVER_FQDN
>> Plugin "plain" [loaded], API version: 4
>> SASL mechanism: PLAIN, best SSF: 0
>> security flags: NO_ANONYMOUS
>> features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
>> Plugin "anonymous" [loaded], API version: 4
>> SASL mechanism: ANONYMOUS, best SSF: 0
>> security flags: NO_PLAINTEXT
>> features: WANT_CLIENT_FIRST
>> Plugin "login" [loaded], API version: 4
>> SASL mechanism: LOGIN, best SSF: 0
>> security flags: NO_ANONYMOUS
>> features: SERVER_FIRST
>> Plugin "EXTERNAL" [loaded], API version: 4
>> SASL mechanism: EXTERNAL, best SSF: 0
>> security flags: NO_ANONYMOUS|NO_PLAINTEXT|NO_DICTIONARY
>> features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
>>
>> Anyone set this up successfully for digest-md5?
>>
>> Thanks,
>>
>> Jesse
>>
>> --
>> Jesse Bowling
>>
>>
>
>
> --
> Jesse Bowling
>
>
>
--
Jesse Bowling
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130716/5d202842/attachment.html>
More information about the argus
mailing list