SASL with argus

Carter Bullard carter at qosient.com
Wed Jul 17 16:19:16 EDT 2013


Wow, that is pretty weird.  And of course, I can't replicate that here.
So it maybe more than just the order of the 3 specific entries in the argus.conf.

You must not have debug turned on in argus, as you aren't printing
any debug information.  If not a bother, could you turn debug on, {touch .debug; ./configure; make}
and then run argus with the two versions of the .conf file to see what is going on?

That would be extremely useful !!!!

Carter


On Jul 17, 2013, at 9:40 AM, Jesse Bowling <jessebowling at gmail.com> wrote:

> Bizarre...When running argus in the foreground with -D 2, I get only these messages:
> 
> # /usr/local/sbin/argus -F /etc/argus.conf -D 2
> argus[13738]: 17 Jul 13 09:31:59.676329 started
> argus[13738]: 17 Jul 13 09:31:59.698620 ArgusGetInterfaceStatus: interface eth3 is up
> 
> However, the ra process is able to connect and receive records just fine!!
> 
> I found that if I moved the directive ARGUS_DAEMON="yes" to below the two SASL configuration options (ARGUS_{MIN,MAX}_SSF) in my argus.conf, everything works as expected...Perhaps some work on the startup process to finish parsing before starting processing is in order? Or is there a deeper issue?
> 
> Cheers,
> 
> Jesse
> 
> 
> On Tue, Jul 16, 2013 at 11:59 PM, Carter Bullard <carter at qosient.com> wrote:
> OK, so your not getting any mechs from argus to negotiate.
> Argus should be sending ra() what algorithms are available,
> so ra() can chose the algorithm it likes.  But argus is sending {}.
> 
> What is argus saying ?  Run argus with -D 2, not in daemon mode,
> and lets see what argus is saying when the SASL turn starts.
> 
> Carter
> 
> On Jul 16, 2013, at 10:10 PM, Jesse Bowling <jessebowling at gmail.com> wrote:
> 
>> Tried this to ensure I was hitting /etc/ra.conf, and set RA_MIN_SSF=40 and RA_MAX_SSF=128
>> 
>> /usr/local/bin/ra -S localhost -F /etc/ra.conf -D 10
>> 
>> <snip>
>> ra[8822.006799f7ff7f0000]: 22:07:30.984553 RaSaslNegotiate(0x7, 0x7, 0xc35af0) receiving capability list... 
>> ra[8822.006799f7ff7f0000]: 22:07:30.984583 RaGetSaslString(0x7, 0xfffbc270, 8184) {}
>> ra[8822.006799f7ff7f0000]: 22:07:30.984596 RaSaslNegotiate(0x7, 0x7, 0xc35af0) calling sasl_client_start()
>> ra[8822.006799f7ff7f0000]: 22:07:30.984864 RaSendSaslString(7, 0x0, 0) (null)
>> ra[8822]: 22:07:30.984888 RaSaslNegotiate: error starting SASL negotiation SASL(-4): no mechanism available: No worthy mechs found
>> ra[8822.006799f7ff7f0000]: 22:07:30.984966 ArgusShutDown (-1)
>> </snip>
>> 
>> /etc/sasl2/argus.conf:
>> pwcheck_method: auxprop
>> mech_list: PLAIN LOGIN NTLM CRAM-MD5 DIGEST-MD5
>> auxprop_plugin: sasldb
>> 
>> Cheers,
>> 
>> Jesse
>> 
>> 
>> 
>> On Tue, Jul 16, 2013 at 5:31 PM, Carter Bullard <carter at qosient.com> wrote:
>> What are the values for RA_MIN_SSF and RA_MAX_SSF in your .rarc file?
>> Possible if you set those to something other than zero, and you may 
>> be able to negotiate a mech.
>> 
>> Carter
>> 
>> 
>> 
>> On Jul 16, 2013, at 1:06 PM, Jesse Bowling <jessebowling at gmail.com> wrote:
>> 
>>> As a followup, I changed my argus.conf to look like:
>>> 
>>> pwcheck_method: auxprop
>>> mech_list: DIGEST-MD5
>>> auxprop_plugin: sasldb
>>> 
>>> and tried the sample client/server programs like this:
>>> 
>>> # sasl2-sample-server -s argus -m digest-md5
>>> $ sasl2-sample-client -s argus -m digest-md5 localhost
>>> 
>>> ...provide the authentication/authorization id as before, then the password, and receive a successful authentication.
>>> 
>>> However I get the same error with ra client programs when attempting to connect...What am I missing here?
>>> 
>>> Cheers,
>>> 
>>> Jesse
>>> 
>>> 
>>> 
>>> 
>>> On Tue, Jul 16, 2013 at 10:42 AM, Jesse Bowling <jessebowling at gmail.com> wrote:
>>> Hi all,
>>> 
>>> I'm a SASL noob, and having a hard time getting it configured to work with argus. I've tried setting it up and am getting the following error message:
>>> 
>>> rasplit[15301.00c7bc34f77f0000]: 10:27:31.072229 RaSaslNegotiate(0x3, 0x3, 0x27c6d90) receiving capability list... 
>>> rasplit[15301.00c7bc34f77f0000]: 10:27:31.072251 RaGetSaslString(0x3, 0x99773830, 8184) {}
>>> rasplit[15301.00c7bc34f77f0000]: 10:27:31.072259 RaSaslNegotiate(0x3, 0x3, 0x27c6d90) calling sasl_client_start()
>>> rasplit[15301.00c7bc34f77f0000]: 10:27:31.072646 RaSendSaslString(3, 0x0, 0) (null)
>>> rasplit[15301]: 10:27:31.072663 RaSaslNegotiate: error starting SASL negotiation SASL(-4): no mechanism available: No worthy mechs found
>>> 
>>> 
>>> I have the following setup bits, and may of course be missing something simple here:
>>> 
>>> /etc/argus.conf:
>>> 
>>> ARGUS_MIN_SSF=40
>>> ARGUS_MAX_SSF=128
>>> 
>>> /etc/ra.conf
>>> 
>>> RA_USER_AUTH="raclient/raclient"
>>> RA_AUTH_PASS="Passwd I set with saslpasswd2 -c -a argus raclient"
>>> 
>>> /etc/sasl2/argus.conf:
>>> 
>>> pwcheck_method: auxprop
>>> auxprop_plugin: sasldb
>>> mech_list: DIGESTMD5 PLAIN LOGIN CRAMMD5 
>>> 
>>> # sasldblistusers2: 
>>> raclient at host.realm.tld: userPassword
>>> 
>>> Pluginviewer output:
>>> 
>>> Installed SASL (server side) mechanisms are:
>>> CRAM-MD5 DIGEST-MD5 PLAIN ANONYMOUS LOGIN EXTERNAL
>>> List of server plugins follows
>>> Plugin "crammd5" [loaded],      API version: 4
>>>         SASL mechanism: CRAM-MD5, best SSF: 0, supports setpass: no
>>>         security flags: NO_ANONYMOUS|NO_PLAINTEXT
>>>         features: SERVER_FIRST
>>> Plugin "digestmd5" [loaded],    API version: 4
>>>         SASL mechanism: DIGEST-MD5, best SSF: 128, supports setpass: no
>>>         security flags: NO_ANONYMOUS|NO_PLAINTEXT|MUTUAL_AUTH
>>>         features: PROXY_AUTHENTICATION
>>> Plugin "plain" [loaded],        API version: 4
>>>         SASL mechanism: PLAIN, best SSF: 0, supports setpass: no
>>>         security flags: NO_ANONYMOUS
>>>         features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
>>> Plugin "anonymous" [loaded],    API version: 4
>>>         SASL mechanism: ANONYMOUS, best SSF: 0, supports setpass: no
>>>         security flags: NO_PLAINTEXT
>>>         features: WANT_CLIENT_FIRST
>>> Plugin "login" [loaded],        API version: 4
>>>         SASL mechanism: LOGIN, best SSF: 0, supports setpass: no
>>>         security flags: NO_ANONYMOUS
>>>         features:
>>> Installed auxprop mechanisms are:
>>> sasldb
>>> List of auxprop plugins follows
>>> Plugin "sasldb" ,       API version: 4
>>>         supports store: yes
>>> 
>>> Installed SASL (client side) mechanisms are:
>>> CRAM-MD5 DIGEST-MD5 PLAIN ANONYMOUS LOGIN EXTERNAL
>>> List of client plugins follows
>>> Plugin "crammd5" [loaded],      API version: 4
>>>         SASL mechanism: CRAM-MD5, best SSF: 0
>>>         security flags: NO_ANONYMOUS|NO_PLAINTEXT
>>>         features: SERVER_FIRST
>>> Plugin "digestmd5" [loaded],    API version: 4
>>>         SASL mechanism: DIGEST-MD5, best SSF: 128
>>>         security flags: NO_ANONYMOUS|NO_PLAINTEXT|MUTUAL_AUTH
>>>         features: PROXY_AUTHENTICATION|NEED_SERVER_FQDN
>>> Plugin "plain" [loaded],        API version: 4
>>>         SASL mechanism: PLAIN, best SSF: 0
>>>         security flags: NO_ANONYMOUS
>>>         features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
>>> Plugin "anonymous" [loaded],    API version: 4
>>>         SASL mechanism: ANONYMOUS, best SSF: 0
>>>         security flags: NO_PLAINTEXT
>>>         features: WANT_CLIENT_FIRST
>>> Plugin "login" [loaded],        API version: 4
>>>         SASL mechanism: LOGIN, best SSF: 0
>>>         security flags: NO_ANONYMOUS
>>>         features: SERVER_FIRST
>>> Plugin "EXTERNAL" [loaded],     API version: 4
>>>         SASL mechanism: EXTERNAL, best SSF: 0
>>>         security flags: NO_ANONYMOUS|NO_PLAINTEXT|NO_DICTIONARY
>>>         features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
>>> 
>>> Anyone set this up successfully for digest-md5?
>>> 
>>> Thanks,
>>> 
>>> Jesse
>>> 
>>> -- 
>>> Jesse Bowling
>>> 
>>> 
>>> 
>>> 
>>> -- 
>>> Jesse Bowling
>>> 
>> 
>> 
>> 
>> 
>> -- 
>> Jesse Bowling
>> 
> 
> 
> 
> 
> -- 
> Jesse Bowling
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130717/86251f90/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6837 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130717/86251f90/attachment.bin>


More information about the argus mailing list