SASL with argus
Jesse Bowling
jessebowling at gmail.com
Fri Jul 26 09:14:49 EDT 2013
That seems reasonable; the only thing that would be a bit different would
be the fact that SASL wants an authentication and authorization id...My
thoughts would be to either allow both in the user field with a delimiter
of '/', or assume that authentication == authorization id for SASL (and
anyone who wanted to specify them differently could either connect and be
prompted or specify the values in their .rarc)...
Otherwise, I think it would be great for them to be consistent across the
various connection mechanisms... :)
Thanks,
Jesse
On Fri, Jul 26, 2013 at 8:43 AM, Carter Bullard <carter at qosient.com> wrote:
> Hey Jesse,
> We did, but we ended up with multiple username passwords, such as a db
> client accessing a secure remote data source. So I took it out.
> All things are possible...so, how about this ?
>
> -S [argus://[[user[:pass]@]]host[:port]
>
> Maybe hard to read,.., but it would be something like...
>
> -S carter at localhost
> -S carter:pass at localhost:561
> -S argus-udp://carter:pass@localhost:561
>
> I'd do the same for "-w" to the database for consistency.
>
> Would that be cool? Is that consistent with other Unix commands ?
> Other suggestions ?
>
> Hope all is most excellent !!!!
>
> Carter
>
>
> On Jul 25, 2013, at 6:45 PM, Jesse Bowling <jessebowling at gmail.com> wrote:
>
> One more followup question on this Carter:
>
> Is it possible to specify the userid/authid:password from the command line
> for SASL enabled Argus? Or may we only use the .rarc file or be prompted
> upon connection?
>
> Cheers,
>
> Jesse
>
>
> On Thu, Jul 18, 2013 at 10:42 PM, Carter Bullard <carter at qosient.com>wrote:
>
>> Hey Jesse,
>> Thanks for the SASL tutorial !!!!
>> Only other thing to say is be sure and ./configure and compile your
>> clients after installing the SASL libraries.
>>
>> The clients and argus have to be enabled in order for it to work.
>>
>> If you enabled debugging, it is possible that turning on debug
>> fixed the problem. If you take debugging out, it may come back?
>>
>> Carter
>>
>>
>> On Jul 18, 2013, at 10:22 PM, Jesse Bowling <jessebowling at gmail.com>
>> wrote:
>>
>> Well..Turns out I can't reproduce this! My best guess is something wonky
>> in one of my compilation/configure runs...Starting clean from argus-3.0.7.2
>> and argus-clients-3.0.7.9 works just fine with SASL, regardless of where I
>> place the ARGUS_DAEMON="yes"...
>>
>> Move along, nothing to see here!
>>
>> For the record, since I had a hard time finding any info on argus + SASL:
>>
>> Configuring argus to use SASL with DIGEST-MD5:
>>
>> Install SASL (on RHEL):
>>
>> yum install cyrus-sasl cyrus-sasl-devel cyrus-sasl-md5
>> Compile argus with support (./configure --with-sasl)
>> Create a SASL conf file in /etc/sasl2/argus.conf:
>>
>> #<snip>
>> pwcheck_method: auxprop
>> mech_list: DIGEST-MD5
>> auxprop_plugin: sasldb
>> #</snip>
>>
>> Create a user/password set for clients to use with saslpasswd2:
>>
>> saslpasswd2 -c -a argus raUser
>>
>> Configure ra client programs to use the new user:
>>
>> RA_USER_AUTH="raUser/raUser"
>> RA_AUTH_PASS="passwordyouset"
>>
>> Anything you'd care to expand on regarding the use of SASL with argus,
>> Carter?
>>
>> Cheers,
>>
>> Jesse
>>
>>
>>
>> On Wed, Jul 17, 2013 at 4:19 PM, Carter Bullard <carter at qosient.com>wrote:
>>
>>> Wow, that is pretty weird. And of course, I can't replicate that here.
>>> So it maybe more than just the order of the 3 specific entries in the
>>> argus.conf.
>>>
>>> You must not have debug turned on in argus, as you aren't printing
>>> any debug information. If not a bother, could you turn debug on, {touch
>>> .debug; ./configure; make}
>>> and then run argus with the two versions of the .conf file to see what
>>> is going on?
>>>
>>> That would be extremely useful !!!!
>>>
>>> Carter
>>>
>>>
>>> On Jul 17, 2013, at 9:40 AM, Jesse Bowling <jessebowling at gmail.com>
>>> wrote:
>>>
>>> Bizarre...When running argus in the foreground with -D 2, I get only
>>> these messages:
>>>
>>> # /usr/local/sbin/argus -F /etc/argus.conf -D 2
>>> argus[13738]: 17 Jul 13 09:31:59.676329 started
>>> argus[13738]: 17 Jul 13 09:31:59.698620 ArgusGetInterfaceStatus:
>>> interface eth3 is up
>>>
>>> However, the ra process is able to connect and receive records just
>>> fine!!
>>>
>>> I found that if I moved the directive ARGUS_DAEMON="yes" to below the
>>> two SASL configuration options (ARGUS_{MIN,MAX}_SSF) in my argus.conf,
>>> everything works as expected...Perhaps some work on the startup process to
>>> finish parsing before starting processing is in order? Or is there a deeper
>>> issue?
>>>
>>> Cheers,
>>>
>>> Jesse
>>>
>>>
>>> On Tue, Jul 16, 2013 at 11:59 PM, Carter Bullard <carter at qosient.com>wrote:
>>>
>>>> OK, so your not getting any mechs from argus to negotiate.
>>>> Argus should be sending ra() what algorithms are available,
>>>> so ra() can chose the algorithm it likes. But argus is sending {}.
>>>>
>>>> What is argus saying ? Run argus with -D 2, not in daemon mode,
>>>> and lets see what argus is saying when the SASL turn starts.
>>>>
>>>> Carter
>>>>
>>>> On Jul 16, 2013, at 10:10 PM, Jesse Bowling <jessebowling at gmail.com>
>>>> wrote:
>>>>
>>>> Tried this to ensure I was hitting /etc/ra.conf, and set RA_MIN_SSF=40
>>>> and RA_MAX_SSF=128
>>>>
>>>> /usr/local/bin/ra -S localhost -F /etc/ra.conf -D 10
>>>>
>>>> <snip>
>>>> ra[8822.006799f7ff7f0000]: 22:07:30.984553 RaSaslNegotiate(0x7, 0x7,
>>>> 0xc35af0) receiving capability list...
>>>> ra[8822.006799f7ff7f0000]: 22:07:30.984583 RaGetSaslString(0x7,
>>>> 0xfffbc270, 8184) {}
>>>> ra[8822.006799f7ff7f0000]: 22:07:30.984596 RaSaslNegotiate(0x7, 0x7,
>>>> 0xc35af0) calling sasl_client_start()
>>>> ra[8822.006799f7ff7f0000]: 22:07:30.984864 RaSendSaslString(7, 0x0, 0)
>>>> (null)
>>>> ra[8822]: 22:07:30.984888 RaSaslNegotiate: error starting SASL
>>>> negotiation SASL(-4): no mechanism available: No worthy mechs found
>>>> ra[8822.006799f7ff7f0000]: 22:07:30.984966 ArgusShutDown (-1)
>>>> </snip>
>>>>
>>>> /etc/sasl2/argus.conf:
>>>> pwcheck_method: auxprop
>>>> mech_list: PLAIN LOGIN NTLM CRAM-MD5 DIGEST-MD5
>>>> auxprop_plugin: sasldb
>>>>
>>>> Cheers,
>>>>
>>>> Jesse
>>>>
>>>>
>>>>
>>>> On Tue, Jul 16, 2013 at 5:31 PM, Carter Bullard <carter at qosient.com>wrote:
>>>>
>>>>> What are the values for RA_MIN_SSF and RA_MAX_SSF in your .rarc file?
>>>>> Possible if you set those to something other than zero, and you may
>>>>> be able to negotiate a mech.
>>>>>
>>>>> Carter
>>>>>
>>>>>
>>>>>
>>>>> On Jul 16, 2013, at 1:06 PM, Jesse Bowling <jessebowling at gmail.com>
>>>>> wrote:
>>>>>
>>>>> As a followup, I changed my argus.conf to look like:
>>>>>
>>>>> pwcheck_method: auxprop
>>>>> mech_list: DIGEST-MD5
>>>>> auxprop_plugin: sasldb
>>>>>
>>>>> and tried the sample client/server programs like this:
>>>>>
>>>>> # sasl2-sample-server -s argus -m digest-md5
>>>>> $ sasl2-sample-client -s argus -m digest-md5 localhost
>>>>>
>>>>> ...provide the authentication/authorization id as before, then the
>>>>> password, and receive a successful authentication.
>>>>>
>>>>> However I get the same error with ra client programs when attempting
>>>>> to connect...What am I missing here?
>>>>>
>>>>> Cheers,
>>>>>
>>>>> Jesse
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Tue, Jul 16, 2013 at 10:42 AM, Jesse Bowling <
>>>>> jessebowling at gmail.com> wrote:
>>>>>
>>>>>> Hi all,
>>>>>>
>>>>>> I'm a SASL noob, and having a hard time getting it configured to work
>>>>>> with argus. I've tried setting it up and am getting the following error
>>>>>> message:
>>>>>>
>>>>>> rasplit[15301.00c7bc34f77f0000]: 10:27:31.072229 RaSaslNegotiate(0x3,
>>>>>> 0x3, 0x27c6d90) receiving capability list...
>>>>>> rasplit[15301.00c7bc34f77f0000]: 10:27:31.072251 RaGetSaslString(0x3,
>>>>>> 0x99773830, 8184) {}
>>>>>> rasplit[15301.00c7bc34f77f0000]: 10:27:31.072259 RaSaslNegotiate(0x3,
>>>>>> 0x3, 0x27c6d90) calling sasl_client_start()
>>>>>> rasplit[15301.00c7bc34f77f0000]: 10:27:31.072646 RaSendSaslString(3,
>>>>>> 0x0, 0) (null)
>>>>>> rasplit[15301]: 10:27:31.072663 RaSaslNegotiate: error starting SASL
>>>>>> negotiation SASL(-4): no mechanism available: No worthy mechs found
>>>>>>
>>>>>>
>>>>>> I have the following setup bits, and may of course be missing
>>>>>> something simple here:
>>>>>>
>>>>>> /etc/argus.conf:
>>>>>>
>>>>>> ARGUS_MIN_SSF=40
>>>>>> ARGUS_MAX_SSF=128
>>>>>>
>>>>>> /etc/ra.conf
>>>>>>
>>>>>> RA_USER_AUTH="raclient/raclient"
>>>>>> RA_AUTH_PASS="Passwd I set with saslpasswd2 -c -a argus raclient"
>>>>>>
>>>>>> /etc/sasl2/argus.conf:
>>>>>>
>>>>>> pwcheck_method: auxprop
>>>>>> auxprop_plugin: sasldb
>>>>>> mech_list: DIGESTMD5 PLAIN LOGIN CRAMMD5
>>>>>>
>>>>>> # sasldblistusers2:
>>>>>> raclient at host.realm.tld: userPassword
>>>>>>
>>>>>> Pluginviewer output:
>>>>>>
>>>>>> Installed SASL (server side) mechanisms are:
>>>>>> CRAM-MD5 DIGEST-MD5 PLAIN ANONYMOUS LOGIN EXTERNAL
>>>>>> List of server plugins follows
>>>>>> Plugin "crammd5" [loaded], API version: 4
>>>>>> SASL mechanism: CRAM-MD5, best SSF: 0, supports setpass: no
>>>>>> security flags: NO_ANONYMOUS|NO_PLAINTEXT
>>>>>> features: SERVER_FIRST
>>>>>> Plugin "digestmd5" [loaded], API version: 4
>>>>>> SASL mechanism: DIGEST-MD5, best SSF: 128, supports setpass:
>>>>>> no
>>>>>> security flags: NO_ANONYMOUS|NO_PLAINTEXT|MUTUAL_AUTH
>>>>>> features: PROXY_AUTHENTICATION
>>>>>> Plugin "plain" [loaded], API version: 4
>>>>>> SASL mechanism: PLAIN, best SSF: 0, supports setpass: no
>>>>>> security flags: NO_ANONYMOUS
>>>>>> features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
>>>>>> Plugin "anonymous" [loaded], API version: 4
>>>>>> SASL mechanism: ANONYMOUS, best SSF: 0, supports setpass: no
>>>>>> security flags: NO_PLAINTEXT
>>>>>> features: WANT_CLIENT_FIRST
>>>>>> Plugin "login" [loaded], API version: 4
>>>>>> SASL mechanism: LOGIN, best SSF: 0, supports setpass: no
>>>>>> security flags: NO_ANONYMOUS
>>>>>> features:
>>>>>> Installed auxprop mechanisms are:
>>>>>> sasldb
>>>>>> List of auxprop plugins follows
>>>>>> Plugin "sasldb" , API version: 4
>>>>>> supports store: yes
>>>>>>
>>>>>> Installed SASL (client side) mechanisms are:
>>>>>> CRAM-MD5 DIGEST-MD5 PLAIN ANONYMOUS LOGIN EXTERNAL
>>>>>> List of client plugins follows
>>>>>> Plugin "crammd5" [loaded], API version: 4
>>>>>> SASL mechanism: CRAM-MD5, best SSF: 0
>>>>>> security flags: NO_ANONYMOUS|NO_PLAINTEXT
>>>>>> features: SERVER_FIRST
>>>>>> Plugin "digestmd5" [loaded], API version: 4
>>>>>> SASL mechanism: DIGEST-MD5, best SSF: 128
>>>>>> security flags: NO_ANONYMOUS|NO_PLAINTEXT|MUTUAL_AUTH
>>>>>> features: PROXY_AUTHENTICATION|NEED_SERVER_FQDN
>>>>>> Plugin "plain" [loaded], API version: 4
>>>>>> SASL mechanism: PLAIN, best SSF: 0
>>>>>> security flags: NO_ANONYMOUS
>>>>>> features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
>>>>>> Plugin "anonymous" [loaded], API version: 4
>>>>>> SASL mechanism: ANONYMOUS, best SSF: 0
>>>>>> security flags: NO_PLAINTEXT
>>>>>> features: WANT_CLIENT_FIRST
>>>>>> Plugin "login" [loaded], API version: 4
>>>>>> SASL mechanism: LOGIN, best SSF: 0
>>>>>> security flags: NO_ANONYMOUS
>>>>>> features: SERVER_FIRST
>>>>>> Plugin "EXTERNAL" [loaded], API version: 4
>>>>>> SASL mechanism: EXTERNAL, best SSF: 0
>>>>>> security flags: NO_ANONYMOUS|NO_PLAINTEXT|NO_DICTIONARY
>>>>>> features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
>>>>>>
>>>>>> Anyone set this up successfully for digest-md5?
>>>>>>
>>>>>> Thanks,
>>>>>>
>>>>>> Jesse
>>>>>>
>>>>>> --
>>>>>> Jesse Bowling
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Jesse Bowling
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Jesse Bowling
>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> Jesse Bowling
>>>
>>>
>>>
>>
>>
>> --
>> Jesse Bowling
>>
>>
>>
>
>
> --
> Jesse Bowling
>
>
--
Jesse Bowling
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130726/271d6f41/attachment.html>
More information about the argus
mailing list