SASL with argus
Jesse Bowling
jessebowling at gmail.com
Fri Jul 19 09:35:19 EDT 2013
I cannot reproduce it with or without debugging turned on in any
combination of argus/client....Perhaps some odd combination of not using
make clean amidst all my re-compiles...Sorry for the false alarm!
Cheers,
Jesse
On Thu, Jul 18, 2013 at 10:42 PM, Carter Bullard <carter at qosient.com> wrote:
> Hey Jesse,
> Thanks for the SASL tutorial !!!!
> Only other thing to say is be sure and ./configure and compile your
> clients after installing the SASL libraries.
>
> The clients and argus have to be enabled in order for it to work.
>
> If you enabled debugging, it is possible that turning on debug
> fixed the problem. If you take debugging out, it may come back?
>
> Carter
>
>
> On Jul 18, 2013, at 10:22 PM, Jesse Bowling <jessebowling at gmail.com>
> wrote:
>
> Well..Turns out I can't reproduce this! My best guess is something wonky
> in one of my compilation/configure runs...Starting clean from argus-3.0.7.2
> and argus-clients-3.0.7.9 works just fine with SASL, regardless of where I
> place the ARGUS_DAEMON="yes"...
>
> Move along, nothing to see here!
>
> For the record, since I had a hard time finding any info on argus + SASL:
>
> Configuring argus to use SASL with DIGEST-MD5:
>
> Install SASL (on RHEL):
>
> yum install cyrus-sasl cyrus-sasl-devel cyrus-sasl-md5
> Compile argus with support (./configure --with-sasl)
> Create a SASL conf file in /etc/sasl2/argus.conf:
>
> #<snip>
> pwcheck_method: auxprop
> mech_list: DIGEST-MD5
> auxprop_plugin: sasldb
> #</snip>
>
> Create a user/password set for clients to use with saslpasswd2:
>
> saslpasswd2 -c -a argus raUser
>
> Configure ra client programs to use the new user:
>
> RA_USER_AUTH="raUser/raUser"
> RA_AUTH_PASS="passwordyouset"
>
> Anything you'd care to expand on regarding the use of SASL with argus,
> Carter?
>
> Cheers,
>
> Jesse
>
>
>
> On Wed, Jul 17, 2013 at 4:19 PM, Carter Bullard <carter at qosient.com>wrote:
>
>> Wow, that is pretty weird. And of course, I can't replicate that here.
>> So it maybe more than just the order of the 3 specific entries in the
>> argus.conf.
>>
>> You must not have debug turned on in argus, as you aren't printing
>> any debug information. If not a bother, could you turn debug on, {touch
>> .debug; ./configure; make}
>> and then run argus with the two versions of the .conf file to see what is
>> going on?
>>
>> That would be extremely useful !!!!
>>
>> Carter
>>
>>
>> On Jul 17, 2013, at 9:40 AM, Jesse Bowling <jessebowling at gmail.com>
>> wrote:
>>
>> Bizarre...When running argus in the foreground with -D 2, I get only
>> these messages:
>>
>> # /usr/local/sbin/argus -F /etc/argus.conf -D 2
>> argus[13738]: 17 Jul 13 09:31:59.676329 started
>> argus[13738]: 17 Jul 13 09:31:59.698620 ArgusGetInterfaceStatus:
>> interface eth3 is up
>>
>> However, the ra process is able to connect and receive records just fine!!
>>
>> I found that if I moved the directive ARGUS_DAEMON="yes" to below the two
>> SASL configuration options (ARGUS_{MIN,MAX}_SSF) in my argus.conf,
>> everything works as expected...Perhaps some work on the startup process to
>> finish parsing before starting processing is in order? Or is there a deeper
>> issue?
>>
>> Cheers,
>>
>> Jesse
>>
>>
>> On Tue, Jul 16, 2013 at 11:59 PM, Carter Bullard <carter at qosient.com>wrote:
>>
>>> OK, so your not getting any mechs from argus to negotiate.
>>> Argus should be sending ra() what algorithms are available,
>>> so ra() can chose the algorithm it likes. But argus is sending {}.
>>>
>>> What is argus saying ? Run argus with -D 2, not in daemon mode,
>>> and lets see what argus is saying when the SASL turn starts.
>>>
>>> Carter
>>>
>>> On Jul 16, 2013, at 10:10 PM, Jesse Bowling <jessebowling at gmail.com>
>>> wrote:
>>>
>>> Tried this to ensure I was hitting /etc/ra.conf, and set RA_MIN_SSF=40
>>> and RA_MAX_SSF=128
>>>
>>> /usr/local/bin/ra -S localhost -F /etc/ra.conf -D 10
>>>
>>> <snip>
>>> ra[8822.006799f7ff7f0000]: 22:07:30.984553 RaSaslNegotiate(0x7, 0x7,
>>> 0xc35af0) receiving capability list...
>>> ra[8822.006799f7ff7f0000]: 22:07:30.984583 RaGetSaslString(0x7,
>>> 0xfffbc270, 8184) {}
>>> ra[8822.006799f7ff7f0000]: 22:07:30.984596 RaSaslNegotiate(0x7, 0x7,
>>> 0xc35af0) calling sasl_client_start()
>>> ra[8822.006799f7ff7f0000]: 22:07:30.984864 RaSendSaslString(7, 0x0, 0)
>>> (null)
>>> ra[8822]: 22:07:30.984888 RaSaslNegotiate: error starting SASL
>>> negotiation SASL(-4): no mechanism available: No worthy mechs found
>>> ra[8822.006799f7ff7f0000]: 22:07:30.984966 ArgusShutDown (-1)
>>> </snip>
>>>
>>> /etc/sasl2/argus.conf:
>>> pwcheck_method: auxprop
>>> mech_list: PLAIN LOGIN NTLM CRAM-MD5 DIGEST-MD5
>>> auxprop_plugin: sasldb
>>>
>>> Cheers,
>>>
>>> Jesse
>>>
>>>
>>>
>>> On Tue, Jul 16, 2013 at 5:31 PM, Carter Bullard <carter at qosient.com>wrote:
>>>
>>>> What are the values for RA_MIN_SSF and RA_MAX_SSF in your .rarc file?
>>>> Possible if you set those to something other than zero, and you may
>>>> be able to negotiate a mech.
>>>>
>>>> Carter
>>>>
>>>>
>>>>
>>>> On Jul 16, 2013, at 1:06 PM, Jesse Bowling <jessebowling at gmail.com>
>>>> wrote:
>>>>
>>>> As a followup, I changed my argus.conf to look like:
>>>>
>>>> pwcheck_method: auxprop
>>>> mech_list: DIGEST-MD5
>>>> auxprop_plugin: sasldb
>>>>
>>>> and tried the sample client/server programs like this:
>>>>
>>>> # sasl2-sample-server -s argus -m digest-md5
>>>> $ sasl2-sample-client -s argus -m digest-md5 localhost
>>>>
>>>> ...provide the authentication/authorization id as before, then the
>>>> password, and receive a successful authentication.
>>>>
>>>> However I get the same error with ra client programs when attempting to
>>>> connect...What am I missing here?
>>>>
>>>> Cheers,
>>>>
>>>> Jesse
>>>>
>>>>
>>>>
>>>>
>>>> On Tue, Jul 16, 2013 at 10:42 AM, Jesse Bowling <jessebowling at gmail.com
>>>> > wrote:
>>>>
>>>>> Hi all,
>>>>>
>>>>> I'm a SASL noob, and having a hard time getting it configured to work
>>>>> with argus. I've tried setting it up and am getting the following error
>>>>> message:
>>>>>
>>>>> rasplit[15301.00c7bc34f77f0000]: 10:27:31.072229 RaSaslNegotiate(0x3,
>>>>> 0x3, 0x27c6d90) receiving capability list...
>>>>> rasplit[15301.00c7bc34f77f0000]: 10:27:31.072251 RaGetSaslString(0x3,
>>>>> 0x99773830, 8184) {}
>>>>> rasplit[15301.00c7bc34f77f0000]: 10:27:31.072259 RaSaslNegotiate(0x3,
>>>>> 0x3, 0x27c6d90) calling sasl_client_start()
>>>>> rasplit[15301.00c7bc34f77f0000]: 10:27:31.072646 RaSendSaslString(3,
>>>>> 0x0, 0) (null)
>>>>> rasplit[15301]: 10:27:31.072663 RaSaslNegotiate: error starting SASL
>>>>> negotiation SASL(-4): no mechanism available: No worthy mechs found
>>>>>
>>>>>
>>>>> I have the following setup bits, and may of course be missing
>>>>> something simple here:
>>>>>
>>>>> /etc/argus.conf:
>>>>>
>>>>> ARGUS_MIN_SSF=40
>>>>> ARGUS_MAX_SSF=128
>>>>>
>>>>> /etc/ra.conf
>>>>>
>>>>> RA_USER_AUTH="raclient/raclient"
>>>>> RA_AUTH_PASS="Passwd I set with saslpasswd2 -c -a argus raclient"
>>>>>
>>>>> /etc/sasl2/argus.conf:
>>>>>
>>>>> pwcheck_method: auxprop
>>>>> auxprop_plugin: sasldb
>>>>> mech_list: DIGESTMD5 PLAIN LOGIN CRAMMD5
>>>>>
>>>>> # sasldblistusers2:
>>>>> raclient at host.realm.tld: userPassword
>>>>>
>>>>> Pluginviewer output:
>>>>>
>>>>> Installed SASL (server side) mechanisms are:
>>>>> CRAM-MD5 DIGEST-MD5 PLAIN ANONYMOUS LOGIN EXTERNAL
>>>>> List of server plugins follows
>>>>> Plugin "crammd5" [loaded], API version: 4
>>>>> SASL mechanism: CRAM-MD5, best SSF: 0, supports setpass: no
>>>>> security flags: NO_ANONYMOUS|NO_PLAINTEXT
>>>>> features: SERVER_FIRST
>>>>> Plugin "digestmd5" [loaded], API version: 4
>>>>> SASL mechanism: DIGEST-MD5, best SSF: 128, supports setpass: no
>>>>> security flags: NO_ANONYMOUS|NO_PLAINTEXT|MUTUAL_AUTH
>>>>> features: PROXY_AUTHENTICATION
>>>>> Plugin "plain" [loaded], API version: 4
>>>>> SASL mechanism: PLAIN, best SSF: 0, supports setpass: no
>>>>> security flags: NO_ANONYMOUS
>>>>> features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
>>>>> Plugin "anonymous" [loaded], API version: 4
>>>>> SASL mechanism: ANONYMOUS, best SSF: 0, supports setpass: no
>>>>> security flags: NO_PLAINTEXT
>>>>> features: WANT_CLIENT_FIRST
>>>>> Plugin "login" [loaded], API version: 4
>>>>> SASL mechanism: LOGIN, best SSF: 0, supports setpass: no
>>>>> security flags: NO_ANONYMOUS
>>>>> features:
>>>>> Installed auxprop mechanisms are:
>>>>> sasldb
>>>>> List of auxprop plugins follows
>>>>> Plugin "sasldb" , API version: 4
>>>>> supports store: yes
>>>>>
>>>>> Installed SASL (client side) mechanisms are:
>>>>> CRAM-MD5 DIGEST-MD5 PLAIN ANONYMOUS LOGIN EXTERNAL
>>>>> List of client plugins follows
>>>>> Plugin "crammd5" [loaded], API version: 4
>>>>> SASL mechanism: CRAM-MD5, best SSF: 0
>>>>> security flags: NO_ANONYMOUS|NO_PLAINTEXT
>>>>> features: SERVER_FIRST
>>>>> Plugin "digestmd5" [loaded], API version: 4
>>>>> SASL mechanism: DIGEST-MD5, best SSF: 128
>>>>> security flags: NO_ANONYMOUS|NO_PLAINTEXT|MUTUAL_AUTH
>>>>> features: PROXY_AUTHENTICATION|NEED_SERVER_FQDN
>>>>> Plugin "plain" [loaded], API version: 4
>>>>> SASL mechanism: PLAIN, best SSF: 0
>>>>> security flags: NO_ANONYMOUS
>>>>> features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
>>>>> Plugin "anonymous" [loaded], API version: 4
>>>>> SASL mechanism: ANONYMOUS, best SSF: 0
>>>>> security flags: NO_PLAINTEXT
>>>>> features: WANT_CLIENT_FIRST
>>>>> Plugin "login" [loaded], API version: 4
>>>>> SASL mechanism: LOGIN, best SSF: 0
>>>>> security flags: NO_ANONYMOUS
>>>>> features: SERVER_FIRST
>>>>> Plugin "EXTERNAL" [loaded], API version: 4
>>>>> SASL mechanism: EXTERNAL, best SSF: 0
>>>>> security flags: NO_ANONYMOUS|NO_PLAINTEXT|NO_DICTIONARY
>>>>> features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
>>>>>
>>>>> Anyone set this up successfully for digest-md5?
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Jesse
>>>>>
>>>>> --
>>>>> Jesse Bowling
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Jesse Bowling
>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> Jesse Bowling
>>>
>>>
>>>
>>
>>
>> --
>> Jesse Bowling
>>
>>
>>
>
>
> --
> Jesse Bowling
>
>
>
--
Jesse Bowling
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130719/9df17a8b/attachment.html>
More information about the argus
mailing list