SASL with argus

Carter Bullard carter at qosient.com
Tue Jul 16 23:59:40 EDT 2013 

OK, so your not getting any mechs from argus to negotiate.
Argus should be sending ra() what algorithms are available,
so ra() can chose the algorithm it likes.  But argus is sending {}.

What is argus saying ?  Run argus with -D 2, not in daemon mode,
and lets see what argus is saying when the SASL turn starts.

Carter

On Jul 16, 2013, at 10:10 PM, Jesse Bowling <jessebowling at gmail.com> wrote:

> Tried this to ensure I was hitting /etc/ra.conf, and set RA_MIN_SSF=40 and RA_MAX_SSF=128
> 
> /usr/local/bin/ra -S localhost -F /etc/ra.conf -D 10
> 
> <snip>
> ra[8822.006799f7ff7f0000]: 22:07:30.984553 RaSaslNegotiate(0x7, 0x7, 0xc35af0) receiving capability list... 
> ra[8822.006799f7ff7f0000]: 22:07:30.984583 RaGetSaslString(0x7, 0xfffbc270, 8184) {}
> ra[8822.006799f7ff7f0000]: 22:07:30.984596 RaSaslNegotiate(0x7, 0x7, 0xc35af0) calling sasl_client_start()
> ra[8822.006799f7ff7f0000]: 22:07:30.984864 RaSendSaslString(7, 0x0, 0) (null)
> ra[8822]: 22:07:30.984888 RaSaslNegotiate: error starting SASL negotiation SASL(-4): no mechanism available: No worthy mechs found
> ra[8822.006799f7ff7f0000]: 22:07:30.984966 ArgusShutDown (-1)
> </snip>
> 
> /etc/sasl2/argus.conf:
> pwcheck_method: auxprop
> mech_list: PLAIN LOGIN NTLM CRAM-MD5 DIGEST-MD5
> auxprop_plugin: sasldb
> 
> Cheers,
> 
> Jesse
> 
> 
> 
> On Tue, Jul 16, 2013 at 5:31 PM, Carter Bullard <carter at qosient.com> wrote:
> What are the values for RA_MIN_SSF and RA_MAX_SSF in your .rarc file?
> Possible if you set those to something other than zero, and you may 
> be able to negotiate a mech.
> 
> Carter
> 
> 
> 
> On Jul 16, 2013, at 1:06 PM, Jesse Bowling <jessebowling at gmail.com> wrote:
> 
>> As a followup, I changed my argus.conf to look like:
>> 
>> pwcheck_method: auxprop
>> mech_list: DIGEST-MD5
>> auxprop_plugin: sasldb
>> 
>> and tried the sample client/server programs like this:
>> 
>> # sasl2-sample-server -s argus -m digest-md5
>> $ sasl2-sample-client -s argus -m digest-md5 localhost
>> 
>> ...provide the authentication/authorization id as before, then the password, and receive a successful authentication.
>> 
>> However I get the same error with ra client programs when attempting to connect...What am I missing here?
>> 
>> Cheers,
>> 
>> Jesse
>> 
>> 
>> 
>> 
>> On Tue, Jul 16, 2013 at 10:42 AM, Jesse Bowling <jessebowling at gmail.com> wrote:
>> Hi all,
>> 
>> I'm a SASL noob, and having a hard time getting it configured to work with argus. I've tried setting it up and am getting the following error message:
>> 
>> rasplit[15301.00c7bc34f77f0000]: 10:27:31.072229 RaSaslNegotiate(0x3, 0x3, 0x27c6d90) receiving capability list... 
>> rasplit[15301.00c7bc34f77f0000]: 10:27:31.072251 RaGetSaslString(0x3, 0x99773830, 8184) {}
>> rasplit[15301.00c7bc34f77f0000]: 10:27:31.072259 RaSaslNegotiate(0x3, 0x3, 0x27c6d90) calling sasl_client_start()
>> rasplit[15301.00c7bc34f77f0000]: 10:27:31.072646 RaSendSaslString(3, 0x0, 0) (null)
>> rasplit[15301]: 10:27:31.072663 RaSaslNegotiate: error starting SASL negotiation SASL(-4): no mechanism available: No worthy mechs found
>> 
>> 
>> I have the following setup bits, and may of course be missing something simple here:
>> 
>> /etc/argus.conf:
>> 
>> ARGUS_MIN_SSF=40
>> ARGUS_MAX_SSF=128
>> 
>> /etc/ra.conf
>> 
>> RA_USER_AUTH="raclient/raclient"
>> RA_AUTH_PASS="Passwd I set with saslpasswd2 -c -a argus raclient"
>> 
>> /etc/sasl2/argus.conf:
>> 
>> pwcheck_method: auxprop
>> auxprop_plugin: sasldb
>> mech_list: DIGESTMD5 PLAIN LOGIN CRAMMD5 
>> 
>> # sasldblistusers2: 
>> raclient at host.realm.tld: userPassword
>> 
>> Pluginviewer output:
>> 
>> Installed SASL (server side) mechanisms are:
>> CRAM-MD5 DIGEST-MD5 PLAIN ANONYMOUS LOGIN EXTERNAL
>> List of server plugins follows
>> Plugin "crammd5" [loaded],      API version: 4
>>         SASL mechanism: CRAM-MD5, best SSF: 0, supports setpass: no
>>         security flags: NO_ANONYMOUS|NO_PLAINTEXT
>>         features: SERVER_FIRST
>> Plugin "digestmd5" [loaded],    API version: 4
>>         SASL mechanism: DIGEST-MD5, best SSF: 128, supports setpass: no
>>         security flags: NO_ANONYMOUS|NO_PLAINTEXT|MUTUAL_AUTH
>>         features: PROXY_AUTHENTICATION
>> Plugin "plain" [loaded],        API version: 4
>>         SASL mechanism: PLAIN, best SSF: 0, supports setpass: no
>>         security flags: NO_ANONYMOUS
>>         features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
>> Plugin "anonymous" [loaded],    API version: 4
>>         SASL mechanism: ANONYMOUS, best SSF: 0, supports setpass: no
>>         security flags: NO_PLAINTEXT
>>         features: WANT_CLIENT_FIRST
>> Plugin "login" [loaded],        API version: 4
>>         SASL mechanism: LOGIN, best SSF: 0, supports setpass: no
>>         security flags: NO_ANONYMOUS
>>         features:
>> Installed auxprop mechanisms are:
>> sasldb
>> List of auxprop plugins follows
>> Plugin "sasldb" ,       API version: 4
>>         supports store: yes
>> 
>> Installed SASL (client side) mechanisms are:
>> CRAM-MD5 DIGEST-MD5 PLAIN ANONYMOUS LOGIN EXTERNAL
>> List of client plugins follows
>> Plugin "crammd5" [loaded],      API version: 4
>>         SASL mechanism: CRAM-MD5, best SSF: 0
>>         security flags: NO_ANONYMOUS|NO_PLAINTEXT
>>         features: SERVER_FIRST
>> Plugin "digestmd5" [loaded],    API version: 4
>>         SASL mechanism: DIGEST-MD5, best SSF: 128
>>         security flags: NO_ANONYMOUS|NO_PLAINTEXT|MUTUAL_AUTH
>>         features: PROXY_AUTHENTICATION|NEED_SERVER_FQDN
>> Plugin "plain" [loaded],        API version: 4
>>         SASL mechanism: PLAIN, best SSF: 0
>>         security flags: NO_ANONYMOUS
>>         features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
>> Plugin "anonymous" [loaded],    API version: 4
>>         SASL mechanism: ANONYMOUS, best SSF: 0
>>         security flags: NO_PLAINTEXT
>>         features: WANT_CLIENT_FIRST
>> Plugin "login" [loaded],        API version: 4
>>         SASL mechanism: LOGIN, best SSF: 0
>>         security flags: NO_ANONYMOUS
>>         features: SERVER_FIRST
>> Plugin "EXTERNAL" [loaded],     API version: 4
>>         SASL mechanism: EXTERNAL, best SSF: 0
>>         security flags: NO_ANONYMOUS|NO_PLAINTEXT|NO_DICTIONARY
>>         features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
>> 
>> Anyone set this up successfully for digest-md5?
>> 
>> Thanks,
>> 
>> Jesse
>> 
>> -- 
>> Jesse Bowling
>> 
>> 
>> 
>> 
>> -- 
>> Jesse Bowling
>> 
> 
> 
> 
> 
> -- 
> Jesse Bowling
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130716/0204eb20/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6837 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130716/0204eb20/attachment.bin>

More information about the argus mailing list