SASL with argus

Jesse Bowling jessebowling at gmail.com
Thu Jul 25 21:45:17 EDT 2013


One more followup question on this Carter:

Is it possible to specify the userid/authid:password from the command line
for SASL enabled Argus? Or may we only use the .rarc file or be prompted
upon connection?

Cheers,

Jesse


On Thu, Jul 18, 2013 at 10:42 PM, Carter Bullard <carter at qosient.com> wrote:

> Hey Jesse,
> Thanks for the SASL tutorial !!!!
> Only other thing to say is be sure and ./configure and compile your
> clients after installing the SASL libraries.
>
> The clients and argus have to be enabled in order for it to work.
>
> If you enabled debugging, it is possible that turning on debug
> fixed the problem.  If you take debugging out, it may come back?
>
> Carter
>
>
> On Jul 18, 2013, at 10:22 PM, Jesse Bowling <jessebowling at gmail.com>
> wrote:
>
> Well..Turns out I can't reproduce this! My best guess is something wonky
> in one of my compilation/configure runs...Starting clean from argus-3.0.7.2
> and argus-clients-3.0.7.9 works just fine with SASL, regardless of where I
> place the ARGUS_DAEMON="yes"...
>
> Move along, nothing to see here!
>
> For the record, since I had a hard time finding any info on argus + SASL:
>
> Configuring argus to use SASL with DIGEST-MD5:
>
> Install SASL (on RHEL):
>
> yum install cyrus-sasl cyrus-sasl-devel cyrus-sasl-md5
> Compile argus with support (./configure --with-sasl)
> Create a SASL conf file in /etc/sasl2/argus.conf:
>
> #<snip>
> pwcheck_method: auxprop
> mech_list: DIGEST-MD5
> auxprop_plugin: sasldb
> #</snip>
>
> Create a user/password set for clients to use with saslpasswd2:
>
> saslpasswd2 -c -a argus raUser
>
> Configure ra client programs to use the new user:
>
> RA_USER_AUTH="raUser/raUser"
> RA_AUTH_PASS="passwordyouset"
>
> Anything you'd care to expand on regarding the use of SASL with argus,
> Carter?
>
> Cheers,
>
> Jesse
>
>
>
> On Wed, Jul 17, 2013 at 4:19 PM, Carter Bullard <carter at qosient.com>wrote:
>
>> Wow, that is pretty weird.  And of course, I can't replicate that here.
>> So it maybe more than just the order of the 3 specific entries in the
>> argus.conf.
>>
>> You must not have debug turned on in argus, as you aren't printing
>> any debug information.  If not a bother, could you turn debug on, {touch
>> .debug; ./configure; make}
>> and then run argus with the two versions of the .conf file to see what is
>> going on?
>>
>> That would be extremely useful !!!!
>>
>> Carter
>>
>>
>> On Jul 17, 2013, at 9:40 AM, Jesse Bowling <jessebowling at gmail.com>
>> wrote:
>>
>> Bizarre...When running argus in the foreground with -D 2, I get only
>> these messages:
>>
>> # /usr/local/sbin/argus -F /etc/argus.conf -D 2
>> argus[13738]: 17 Jul 13 09:31:59.676329 started
>> argus[13738]: 17 Jul 13 09:31:59.698620 ArgusGetInterfaceStatus:
>> interface eth3 is up
>>
>> However, the ra process is able to connect and receive records just fine!!
>>
>> I found that if I moved the directive ARGUS_DAEMON="yes" to below the two
>> SASL configuration options (ARGUS_{MIN,MAX}_SSF) in my argus.conf,
>> everything works as expected...Perhaps some work on the startup process to
>> finish parsing before starting processing is in order? Or is there a deeper
>> issue?
>>
>> Cheers,
>>
>> Jesse
>>
>>
>> On Tue, Jul 16, 2013 at 11:59 PM, Carter Bullard <carter at qosient.com>wrote:
>>
>>> OK, so your not getting any mechs from argus to negotiate.
>>> Argus should be sending ra() what algorithms are available,
>>> so ra() can chose the algorithm it likes.  But argus is sending {}.
>>>
>>> What is argus saying ?  Run argus with -D 2, not in daemon mode,
>>> and lets see what argus is saying when the SASL turn starts.
>>>
>>> Carter
>>>
>>> On Jul 16, 2013, at 10:10 PM, Jesse Bowling <jessebowling at gmail.com>
>>> wrote:
>>>
>>> Tried this to ensure I was hitting /etc/ra.conf, and set RA_MIN_SSF=40
>>> and RA_MAX_SSF=128
>>>
>>> /usr/local/bin/ra -S localhost -F /etc/ra.conf -D 10
>>>
>>> <snip>
>>> ra[8822.006799f7ff7f0000]: 22:07:30.984553 RaSaslNegotiate(0x7, 0x7,
>>> 0xc35af0) receiving capability list...
>>> ra[8822.006799f7ff7f0000]: 22:07:30.984583 RaGetSaslString(0x7,
>>> 0xfffbc270, 8184) {}
>>> ra[8822.006799f7ff7f0000]: 22:07:30.984596 RaSaslNegotiate(0x7, 0x7,
>>> 0xc35af0) calling sasl_client_start()
>>> ra[8822.006799f7ff7f0000]: 22:07:30.984864 RaSendSaslString(7, 0x0, 0)
>>> (null)
>>> ra[8822]: 22:07:30.984888 RaSaslNegotiate: error starting SASL
>>> negotiation SASL(-4): no mechanism available: No worthy mechs found
>>> ra[8822.006799f7ff7f0000]: 22:07:30.984966 ArgusShutDown (-1)
>>> </snip>
>>>
>>> /etc/sasl2/argus.conf:
>>> pwcheck_method: auxprop
>>> mech_list: PLAIN LOGIN NTLM CRAM-MD5 DIGEST-MD5
>>> auxprop_plugin: sasldb
>>>
>>> Cheers,
>>>
>>> Jesse
>>>
>>>
>>>
>>> On Tue, Jul 16, 2013 at 5:31 PM, Carter Bullard <carter at qosient.com>wrote:
>>>
>>>> What are the values for RA_MIN_SSF and RA_MAX_SSF in your .rarc file?
>>>> Possible if you set those to something other than zero, and you may
>>>> be able to negotiate a mech.
>>>>
>>>> Carter
>>>>
>>>>
>>>>
>>>> On Jul 16, 2013, at 1:06 PM, Jesse Bowling <jessebowling at gmail.com>
>>>> wrote:
>>>>
>>>> As a followup, I changed my argus.conf to look like:
>>>>
>>>> pwcheck_method: auxprop
>>>> mech_list: DIGEST-MD5
>>>> auxprop_plugin: sasldb
>>>>
>>>> and tried the sample client/server programs like this:
>>>>
>>>> # sasl2-sample-server -s argus -m digest-md5
>>>> $ sasl2-sample-client -s argus -m digest-md5 localhost
>>>>
>>>> ...provide the authentication/authorization id as before, then the
>>>> password, and receive a successful authentication.
>>>>
>>>> However I get the same error with ra client programs when attempting to
>>>> connect...What am I missing here?
>>>>
>>>> Cheers,
>>>>
>>>> Jesse
>>>>
>>>>
>>>>
>>>>
>>>> On Tue, Jul 16, 2013 at 10:42 AM, Jesse Bowling <jessebowling at gmail.com
>>>> > wrote:
>>>>
>>>>> Hi all,
>>>>>
>>>>> I'm a SASL noob, and having a hard time getting it configured to work
>>>>> with argus. I've tried setting it up and am getting the following error
>>>>> message:
>>>>>
>>>>> rasplit[15301.00c7bc34f77f0000]: 10:27:31.072229 RaSaslNegotiate(0x3,
>>>>> 0x3, 0x27c6d90) receiving capability list...
>>>>> rasplit[15301.00c7bc34f77f0000]: 10:27:31.072251 RaGetSaslString(0x3,
>>>>> 0x99773830, 8184) {}
>>>>> rasplit[15301.00c7bc34f77f0000]: 10:27:31.072259 RaSaslNegotiate(0x3,
>>>>> 0x3, 0x27c6d90) calling sasl_client_start()
>>>>> rasplit[15301.00c7bc34f77f0000]: 10:27:31.072646 RaSendSaslString(3,
>>>>> 0x0, 0) (null)
>>>>> rasplit[15301]: 10:27:31.072663 RaSaslNegotiate: error starting SASL
>>>>> negotiation SASL(-4): no mechanism available: No worthy mechs found
>>>>>
>>>>>
>>>>> I have the following setup bits, and may of course be missing
>>>>> something simple here:
>>>>>
>>>>> /etc/argus.conf:
>>>>>
>>>>> ARGUS_MIN_SSF=40
>>>>> ARGUS_MAX_SSF=128
>>>>>
>>>>> /etc/ra.conf
>>>>>
>>>>> RA_USER_AUTH="raclient/raclient"
>>>>> RA_AUTH_PASS="Passwd I set with saslpasswd2 -c -a argus raclient"
>>>>>
>>>>> /etc/sasl2/argus.conf:
>>>>>
>>>>> pwcheck_method: auxprop
>>>>> auxprop_plugin: sasldb
>>>>> mech_list: DIGESTMD5 PLAIN LOGIN CRAMMD5
>>>>>
>>>>> # sasldblistusers2:
>>>>> raclient at host.realm.tld: userPassword
>>>>>
>>>>> Pluginviewer output:
>>>>>
>>>>> Installed SASL (server side) mechanisms are:
>>>>> CRAM-MD5 DIGEST-MD5 PLAIN ANONYMOUS LOGIN EXTERNAL
>>>>> List of server plugins follows
>>>>> Plugin "crammd5" [loaded],      API version: 4
>>>>>         SASL mechanism: CRAM-MD5, best SSF: 0, supports setpass: no
>>>>>         security flags: NO_ANONYMOUS|NO_PLAINTEXT
>>>>>         features: SERVER_FIRST
>>>>> Plugin "digestmd5" [loaded],    API version: 4
>>>>>         SASL mechanism: DIGEST-MD5, best SSF: 128, supports setpass: no
>>>>>         security flags: NO_ANONYMOUS|NO_PLAINTEXT|MUTUAL_AUTH
>>>>>         features: PROXY_AUTHENTICATION
>>>>> Plugin "plain" [loaded],        API version: 4
>>>>>         SASL mechanism: PLAIN, best SSF: 0, supports setpass: no
>>>>>         security flags: NO_ANONYMOUS
>>>>>         features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
>>>>> Plugin "anonymous" [loaded],    API version: 4
>>>>>         SASL mechanism: ANONYMOUS, best SSF: 0, supports setpass: no
>>>>>         security flags: NO_PLAINTEXT
>>>>>         features: WANT_CLIENT_FIRST
>>>>> Plugin "login" [loaded],        API version: 4
>>>>>         SASL mechanism: LOGIN, best SSF: 0, supports setpass: no
>>>>>         security flags: NO_ANONYMOUS
>>>>>         features:
>>>>> Installed auxprop mechanisms are:
>>>>> sasldb
>>>>> List of auxprop plugins follows
>>>>> Plugin "sasldb" ,       API version: 4
>>>>>         supports store: yes
>>>>>
>>>>> Installed SASL (client side) mechanisms are:
>>>>> CRAM-MD5 DIGEST-MD5 PLAIN ANONYMOUS LOGIN EXTERNAL
>>>>> List of client plugins follows
>>>>> Plugin "crammd5" [loaded],      API version: 4
>>>>>         SASL mechanism: CRAM-MD5, best SSF: 0
>>>>>         security flags: NO_ANONYMOUS|NO_PLAINTEXT
>>>>>         features: SERVER_FIRST
>>>>> Plugin "digestmd5" [loaded],    API version: 4
>>>>>         SASL mechanism: DIGEST-MD5, best SSF: 128
>>>>>         security flags: NO_ANONYMOUS|NO_PLAINTEXT|MUTUAL_AUTH
>>>>>         features: PROXY_AUTHENTICATION|NEED_SERVER_FQDN
>>>>> Plugin "plain" [loaded],        API version: 4
>>>>>         SASL mechanism: PLAIN, best SSF: 0
>>>>>         security flags: NO_ANONYMOUS
>>>>>         features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
>>>>> Plugin "anonymous" [loaded],    API version: 4
>>>>>         SASL mechanism: ANONYMOUS, best SSF: 0
>>>>>         security flags: NO_PLAINTEXT
>>>>>         features: WANT_CLIENT_FIRST
>>>>> Plugin "login" [loaded],        API version: 4
>>>>>         SASL mechanism: LOGIN, best SSF: 0
>>>>>         security flags: NO_ANONYMOUS
>>>>>         features: SERVER_FIRST
>>>>> Plugin "EXTERNAL" [loaded],     API version: 4
>>>>>         SASL mechanism: EXTERNAL, best SSF: 0
>>>>>         security flags: NO_ANONYMOUS|NO_PLAINTEXT|NO_DICTIONARY
>>>>>         features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
>>>>>
>>>>> Anyone set this up successfully for digest-md5?
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Jesse
>>>>>
>>>>> --
>>>>> Jesse Bowling
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Jesse Bowling
>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> Jesse Bowling
>>>
>>>
>>>
>>
>>
>> --
>> Jesse Bowling
>>
>>
>>
>
>
> --
> Jesse Bowling
>
>
>


-- 
Jesse Bowling
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130725/625dea66/attachment.html>


More information about the argus mailing list