SASL with argus
Carter Bullard
carter at qosient.com
Fri Jul 26 08:43:06 EDT 2013
Hey Jesse,
We did, but we ended up with multiple username passwords, such as a db client accessing a secure remote data source. So I took it out.
All things are possible...so, how about this ?
-S [argus://[[user[:pass]@]]host[:port]
Maybe hard to read,.., but it would be something like...
-S carter at localhost
-S carter:pass at localhost:561
-S argus-udp://carter:pass@localhost:561
I'd do the same for "-w" to the database for consistency.
Would that be cool? Is that consistent with other Unix commands ?
Other suggestions ?
Hope all is most excellent !!!!
Carter
On Jul 25, 2013, at 6:45 PM, Jesse Bowling <jessebowling at gmail.com> wrote:
> One more followup question on this Carter:
>
> Is it possible to specify the userid/authid:password from the command line for SASL enabled Argus? Or may we only use the .rarc file or be prompted upon connection?
>
> Cheers,
>
> Jesse
>
>
> On Thu, Jul 18, 2013 at 10:42 PM, Carter Bullard <carter at qosient.com> wrote:
>> Hey Jesse,
>> Thanks for the SASL tutorial !!!!
>> Only other thing to say is be sure and ./configure and compile your
>> clients after installing the SASL libraries.
>>
>> The clients and argus have to be enabled in order for it to work.
>>
>> If you enabled debugging, it is possible that turning on debug
>> fixed the problem. If you take debugging out, it may come back?
>>
>> Carter
>>
>>
>> On Jul 18, 2013, at 10:22 PM, Jesse Bowling <jessebowling at gmail.com> wrote:
>>
>>> Well..Turns out I can't reproduce this! My best guess is something wonky in one of my compilation/configure runs...Starting clean from argus-3.0.7.2 and argus-clients-3.0.7.9 works just fine with SASL, regardless of where I place the ARGUS_DAEMON="yes"...
>>>
>>> Move along, nothing to see here!
>>>
>>> For the record, since I had a hard time finding any info on argus + SASL:
>>>
>>> Configuring argus to use SASL with DIGEST-MD5:
>>>
>>> Install SASL (on RHEL):
>>> yum install cyrus-sasl cyrus-sasl-devel cyrus-sasl-md5
>>>
>>> Compile argus with support (./configure --with-sasl)
>>> Create a SASL conf file in /etc/sasl2/argus.conf:
>>>
>>> #<snip>
>>> pwcheck_method: auxprop
>>> mech_list: DIGEST-MD5
>>> auxprop_plugin: sasldb
>>> #</snip>
>>>
>>> Create a user/password set for clients to use with saslpasswd2:
>>>
>>> saslpasswd2 -c -a argus raUser
>>>
>>> Configure ra client programs to use the new user:
>>>
>>> RA_USER_AUTH="raUser/raUser"
>>> RA_AUTH_PASS="passwordyouset"
>>>
>>> Anything you'd care to expand on regarding the use of SASL with argus, Carter?
>>>
>>> Cheers,
>>>
>>> Jesse
>>>
>>>
>>>
>>> On Wed, Jul 17, 2013 at 4:19 PM, Carter Bullard <carter at qosient.com> wrote:
>>>> Wow, that is pretty weird. And of course, I can't replicate that here.
>>>> So it maybe more than just the order of the 3 specific entries in the argus.conf.
>>>>
>>>> You must not have debug turned on in argus, as you aren't printing
>>>> any debug information. If not a bother, could you turn debug on, {touch .debug; ./configure; make}
>>>> and then run argus with the two versions of the .conf file to see what is going on?
>>>>
>>>> That would be extremely useful !!!!
>>>>
>>>> Carter
>>>>
>>>>
>>>> On Jul 17, 2013, at 9:40 AM, Jesse Bowling <jessebowling at gmail.com> wrote:
>>>>
>>>>> Bizarre...When running argus in the foreground with -D 2, I get only these messages:
>>>>>
>>>>> # /usr/local/sbin/argus -F /etc/argus.conf -D 2
>>>>> argus[13738]: 17 Jul 13 09:31:59.676329 started
>>>>> argus[13738]: 17 Jul 13 09:31:59.698620 ArgusGetInterfaceStatus: interface eth3 is up
>>>>>
>>>>> However, the ra process is able to connect and receive records just fine!!
>>>>>
>>>>> I found that if I moved the directive ARGUS_DAEMON="yes" to below the two SASL configuration options (ARGUS_{MIN,MAX}_SSF) in my argus.conf, everything works as expected...Perhaps some work on the startup process to finish parsing before starting processing is in order? Or is there a deeper issue?
>>>>>
>>>>> Cheers,
>>>>>
>>>>> Jesse
>>>>>
>>>>>
>>>>> On Tue, Jul 16, 2013 at 11:59 PM, Carter Bullard <carter at qosient.com> wrote:
>>>>>> OK, so your not getting any mechs from argus to negotiate.
>>>>>> Argus should be sending ra() what algorithms are available,
>>>>>> so ra() can chose the algorithm it likes. But argus is sending {}.
>>>>>>
>>>>>> What is argus saying ? Run argus with -D 2, not in daemon mode,
>>>>>> and lets see what argus is saying when the SASL turn starts.
>>>>>>
>>>>>> Carter
>>>>>>
>>>>>> On Jul 16, 2013, at 10:10 PM, Jesse Bowling <jessebowling at gmail.com> wrote:
>>>>>>
>>>>>>> Tried this to ensure I was hitting /etc/ra.conf, and set RA_MIN_SSF=40 and RA_MAX_SSF=128
>>>>>>>
>>>>>>> /usr/local/bin/ra -S localhost -F /etc/ra.conf -D 10
>>>>>>>
>>>>>>> <snip>
>>>>>>> ra[8822.006799f7ff7f0000]: 22:07:30.984553 RaSaslNegotiate(0x7, 0x7, 0xc35af0) receiving capability list...
>>>>>>> ra[8822.006799f7ff7f0000]: 22:07:30.984583 RaGetSaslString(0x7, 0xfffbc270, 8184) {}
>>>>>>> ra[8822.006799f7ff7f0000]: 22:07:30.984596 RaSaslNegotiate(0x7, 0x7, 0xc35af0) calling sasl_client_start()
>>>>>>> ra[8822.006799f7ff7f0000]: 22:07:30.984864 RaSendSaslString(7, 0x0, 0) (null)
>>>>>>> ra[8822]: 22:07:30.984888 RaSaslNegotiate: error starting SASL negotiation SASL(-4): no mechanism available: No worthy mechs found
>>>>>>> ra[8822.006799f7ff7f0000]: 22:07:30.984966 ArgusShutDown (-1)
>>>>>>> </snip>
>>>>>>>
>>>>>>> /etc/sasl2/argus.conf:
>>>>>>> pwcheck_method: auxprop
>>>>>>> mech_list: PLAIN LOGIN NTLM CRAM-MD5 DIGEST-MD5
>>>>>>> auxprop_plugin: sasldb
>>>>>>>
>>>>>>> Cheers,
>>>>>>>
>>>>>>> Jesse
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Tue, Jul 16, 2013 at 5:31 PM, Carter Bullard <carter at qosient.com> wrote:
>>>>>>>> What are the values for RA_MIN_SSF and RA_MAX_SSF in your .rarc file?
>>>>>>>> Possible if you set those to something other than zero, and you may
>>>>>>>> be able to negotiate a mech.
>>>>>>>>
>>>>>>>> Carter
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Jul 16, 2013, at 1:06 PM, Jesse Bowling <jessebowling at gmail.com> wrote:
>>>>>>>>
>>>>>>>>> As a followup, I changed my argus.conf to look like:
>>>>>>>>>
>>>>>>>>> pwcheck_method: auxprop
>>>>>>>>> mech_list: DIGEST-MD5
>>>>>>>>> auxprop_plugin: sasldb
>>>>>>>>>
>>>>>>>>> and tried the sample client/server programs like this:
>>>>>>>>>
>>>>>>>>> # sasl2-sample-server -s argus -m digest-md5
>>>>>>>>> $ sasl2-sample-client -s argus -m digest-md5 localhost
>>>>>>>>>
>>>>>>>>> ...provide the authentication/authorization id as before, then the password, and receive a successful authentication.
>>>>>>>>>
>>>>>>>>> However I get the same error with ra client programs when attempting to connect...What am I missing here?
>>>>>>>>>
>>>>>>>>> Cheers,
>>>>>>>>>
>>>>>>>>> Jesse
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Tue, Jul 16, 2013 at 10:42 AM, Jesse Bowling <jessebowling at gmail.com> wrote:
>>>>>>>>>> Hi all,
>>>>>>>>>>
>>>>>>>>>> I'm a SASL noob, and having a hard time getting it configured to work with argus. I've tried setting it up and am getting the following error message:
>>>>>>>>>>
>>>>>>>>>> rasplit[15301.00c7bc34f77f0000]: 10:27:31.072229 RaSaslNegotiate(0x3, 0x3, 0x27c6d90) receiving capability list...
>>>>>>>>>> rasplit[15301.00c7bc34f77f0000]: 10:27:31.072251 RaGetSaslString(0x3, 0x99773830, 8184) {}
>>>>>>>>>> rasplit[15301.00c7bc34f77f0000]: 10:27:31.072259 RaSaslNegotiate(0x3, 0x3, 0x27c6d90) calling sasl_client_start()
>>>>>>>>>> rasplit[15301.00c7bc34f77f0000]: 10:27:31.072646 RaSendSaslString(3, 0x0, 0) (null)
>>>>>>>>>> rasplit[15301]: 10:27:31.072663 RaSaslNegotiate: error starting SASL negotiation SASL(-4): no mechanism available: No worthy mechs found
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> I have the following setup bits, and may of course be missing something simple here:
>>>>>>>>>>
>>>>>>>>>> /etc/argus.conf:
>>>>>>>>>>
>>>>>>>>>> ARGUS_MIN_SSF=40
>>>>>>>>>> ARGUS_MAX_SSF=128
>>>>>>>>>>
>>>>>>>>>> /etc/ra.conf
>>>>>>>>>>
>>>>>>>>>> RA_USER_AUTH="raclient/raclient"
>>>>>>>>>> RA_AUTH_PASS="Passwd I set with saslpasswd2 -c -a argus raclient"
>>>>>>>>>>
>>>>>>>>>> /etc/sasl2/argus.conf:
>>>>>>>>>>
>>>>>>>>>> pwcheck_method: auxprop
>>>>>>>>>> auxprop_plugin: sasldb
>>>>>>>>>> mech_list: DIGESTMD5 PLAIN LOGIN CRAMMD5
>>>>>>>>>>
>>>>>>>>>> # sasldblistusers2:
>>>>>>>>>> raclient at host.realm.tld: userPassword
>>>>>>>>>>
>>>>>>>>>> Pluginviewer output:
>>>>>>>>>>
>>>>>>>>>> Installed SASL (server side) mechanisms are:
>>>>>>>>>> CRAM-MD5 DIGEST-MD5 PLAIN ANONYMOUS LOGIN EXTERNAL
>>>>>>>>>> List of server plugins follows
>>>>>>>>>> Plugin "crammd5" [loaded], API version: 4
>>>>>>>>>> SASL mechanism: CRAM-MD5, best SSF: 0, supports setpass: no
>>>>>>>>>> security flags: NO_ANONYMOUS|NO_PLAINTEXT
>>>>>>>>>> features: SERVER_FIRST
>>>>>>>>>> Plugin "digestmd5" [loaded], API version: 4
>>>>>>>>>> SASL mechanism: DIGEST-MD5, best SSF: 128, supports setpass: no
>>>>>>>>>> security flags: NO_ANONYMOUS|NO_PLAINTEXT|MUTUAL_AUTH
>>>>>>>>>> features: PROXY_AUTHENTICATION
>>>>>>>>>> Plugin "plain" [loaded], API version: 4
>>>>>>>>>> SASL mechanism: PLAIN, best SSF: 0, supports setpass: no
>>>>>>>>>> security flags: NO_ANONYMOUS
>>>>>>>>>> features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
>>>>>>>>>> Plugin "anonymous" [loaded], API version: 4
>>>>>>>>>> SASL mechanism: ANONYMOUS, best SSF: 0, supports setpass: no
>>>>>>>>>> security flags: NO_PLAINTEXT
>>>>>>>>>> features: WANT_CLIENT_FIRST
>>>>>>>>>> Plugin "login" [loaded], API version: 4
>>>>>>>>>> SASL mechanism: LOGIN, best SSF: 0, supports setpass: no
>>>>>>>>>> security flags: NO_ANONYMOUS
>>>>>>>>>> features:
>>>>>>>>>> Installed auxprop mechanisms are:
>>>>>>>>>> sasldb
>>>>>>>>>> List of auxprop plugins follows
>>>>>>>>>> Plugin "sasldb" , API version: 4
>>>>>>>>>> supports store: yes
>>>>>>>>>>
>>>>>>>>>> Installed SASL (client side) mechanisms are:
>>>>>>>>>> CRAM-MD5 DIGEST-MD5 PLAIN ANONYMOUS LOGIN EXTERNAL
>>>>>>>>>> List of client plugins follows
>>>>>>>>>> Plugin "crammd5" [loaded], API version: 4
>>>>>>>>>> SASL mechanism: CRAM-MD5, best SSF: 0
>>>>>>>>>> security flags: NO_ANONYMOUS|NO_PLAINTEXT
>>>>>>>>>> features: SERVER_FIRST
>>>>>>>>>> Plugin "digestmd5" [loaded], API version: 4
>>>>>>>>>> SASL mechanism: DIGEST-MD5, best SSF: 128
>>>>>>>>>> security flags: NO_ANONYMOUS|NO_PLAINTEXT|MUTUAL_AUTH
>>>>>>>>>> features: PROXY_AUTHENTICATION|NEED_SERVER_FQDN
>>>>>>>>>> Plugin "plain" [loaded], API version: 4
>>>>>>>>>> SASL mechanism: PLAIN, best SSF: 0
>>>>>>>>>> security flags: NO_ANONYMOUS
>>>>>>>>>> features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
>>>>>>>>>> Plugin "anonymous" [loaded], API version: 4
>>>>>>>>>> SASL mechanism: ANONYMOUS, best SSF: 0
>>>>>>>>>> security flags: NO_PLAINTEXT
>>>>>>>>>> features: WANT_CLIENT_FIRST
>>>>>>>>>> Plugin "login" [loaded], API version: 4
>>>>>>>>>> SASL mechanism: LOGIN, best SSF: 0
>>>>>>>>>> security flags: NO_ANONYMOUS
>>>>>>>>>> features: SERVER_FIRST
>>>>>>>>>> Plugin "EXTERNAL" [loaded], API version: 4
>>>>>>>>>> SASL mechanism: EXTERNAL, best SSF: 0
>>>>>>>>>> security flags: NO_ANONYMOUS|NO_PLAINTEXT|NO_DICTIONARY
>>>>>>>>>> features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
>>>>>>>>>>
>>>>>>>>>> Anyone set this up successfully for digest-md5?
>>>>>>>>>>
>>>>>>>>>> Thanks,
>>>>>>>>>>
>>>>>>>>>> Jesse
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Jesse Bowling
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Jesse Bowling
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Jesse Bowling
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Jesse Bowling
>>>
>>>
>>>
>>> --
>>> Jesse Bowling
>
>
>
> --
> Jesse Bowling
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130726/4f277913/attachment.html>
More information about the argus
mailing list