SASL with argus
Carter Bullard
carter at qosient.com
Fri Jul 26 11:43:28 EDT 2013
Hey Jesse,
Yes, that is how it was, and is now implemented. I should have been more precise.
This is the format that we currently support (with the changes I've just added):
-S [argus://[[user[/auth][:pass]@]]host[:port]
So this would work:
-S carter/root:pass at localhost
and If you just provide one id, without the '/', the the id is used for both.
Carter
On Jul 26, 2013, at 9:14 AM, Jesse Bowling <jessebowling at gmail.com> wrote:
> That seems reasonable; the only thing that would be a bit different would be the fact that SASL wants an authentication and authorization id...My thoughts would be to either allow both in the user field with a delimiter of '/', or assume that authentication == authorization id for SASL (and anyone who wanted to specify them differently could either connect and be prompted or specify the values in their .rarc)...
>
> Otherwise, I think it would be great for them to be consistent across the various connection mechanisms... :)
>
> Thanks,
>
> Jesse
>
>
> On Fri, Jul 26, 2013 at 8:43 AM, Carter Bullard <carter at qosient.com> wrote:
> Hey Jesse,
> We did, but we ended up with multiple username passwords, such as a db client accessing a secure remote data source. So I took it out.
> All things are possible...so, how about this ?
>
> -S [argus://[[user[:pass]@]]host[:port]
>
> Maybe hard to read,.., but it would be something like...
>
> -S carter at localhost
> -S carter:pass at localhost:561
> -S argus-udp://carter:pass@localhost:561
>
> I'd do the same for "-w" to the database for consistency.
>
> Would that be cool? Is that consistent with other Unix commands ?
> Other suggestions ?
>
> Hope all is most excellent !!!!
>
> Carter
>
>
> On Jul 25, 2013, at 6:45 PM, Jesse Bowling <jessebowling at gmail.com> wrote:
>
>> One more followup question on this Carter:
>>
>> Is it possible to specify the userid/authid:password from the command line for SASL enabled Argus? Or may we only use the .rarc file or be prompted upon connection?
>>
>> Cheers,
>>
>> Jesse
>>
>>
>> On Thu, Jul 18, 2013 at 10:42 PM, Carter Bullard <carter at qosient.com> wrote:
>> Hey Jesse,
>> Thanks for the SASL tutorial !!!!
>> Only other thing to say is be sure and ./configure and compile your
>> clients after installing the SASL libraries.
>>
>> The clients and argus have to be enabled in order for it to work.
>>
>> If you enabled debugging, it is possible that turning on debug
>> fixed the problem. If you take debugging out, it may come back?
>>
>> Carter
>>
>>
>> On Jul 18, 2013, at 10:22 PM, Jesse Bowling <jessebowling at gmail.com> wrote:
>>
>>> Well..Turns out I can't reproduce this! My best guess is something wonky in one of my compilation/configure runs...Starting clean from argus-3.0.7.2 and argus-clients-3.0.7.9 works just fine with SASL, regardless of where I place the ARGUS_DAEMON="yes"...
>>>
>>> Move along, nothing to see here!
>>>
>>> For the record, since I had a hard time finding any info on argus + SASL:
>>>
>>> Configuring argus to use SASL with DIGEST-MD5:
>>>
>>> Install SASL (on RHEL):
>>> yum install cyrus-sasl cyrus-sasl-devel cyrus-sasl-md5
>>>
>>> Compile argus with support (./configure --with-sasl)
>>> Create a SASL conf file in /etc/sasl2/argus.conf:
>>>
>>> #<snip>
>>> pwcheck_method: auxprop
>>> mech_list: DIGEST-MD5
>>> auxprop_plugin: sasldb
>>> #</snip>
>>>
>>> Create a user/password set for clients to use with saslpasswd2:
>>>
>>> saslpasswd2 -c -a argus raUser
>>>
>>> Configure ra client programs to use the new user:
>>>
>>> RA_USER_AUTH="raUser/raUser"
>>> RA_AUTH_PASS="passwordyouset"
>>>
>>> Anything you'd care to expand on regarding the use of SASL with argus, Carter?
>>>
>>> Cheers,
>>>
>>> Jesse
>>>
>>>
>>>
>>> On Wed, Jul 17, 2013 at 4:19 PM, Carter Bullard <carter at qosient.com> wrote:
>>> Wow, that is pretty weird. And of course, I can't replicate that here.
>>> So it maybe more than just the order of the 3 specific entries in the argus.conf.
>>>
>>> You must not have debug turned on in argus, as you aren't printing
>>> any debug information. If not a bother, could you turn debug on, {touch .debug; ./configure; make}
>>> and then run argus with the two versions of the .conf file to see what is going on?
>>>
>>> That would be extremely useful !!!!
>>>
>>> Carter
>>>
>>>
>>> On Jul 17, 2013, at 9:40 AM, Jesse Bowling <jessebowling at gmail.com> wrote:
>>>
>>>> Bizarre...When running argus in the foreground with -D 2, I get only these messages:
>>>>
>>>> # /usr/local/sbin/argus -F /etc/argus.conf -D 2
>>>> argus[13738]: 17 Jul 13 09:31:59.676329 started
>>>> argus[13738]: 17 Jul 13 09:31:59.698620 ArgusGetInterfaceStatus: interface eth3 is up
>>>>
>>>> However, the ra process is able to connect and receive records just fine!!
>>>>
>>>> I found that if I moved the directive ARGUS_DAEMON="yes" to below the two SASL configuration options (ARGUS_{MIN,MAX}_SSF) in my argus.conf, everything works as expected...Perhaps some work on the startup process to finish parsing before starting processing is in order? Or is there a deeper issue?
>>>>
>>>> Cheers,
>>>>
>>>> Jesse
>>>>
>>>>
>>>> On Tue, Jul 16, 2013 at 11:59 PM, Carter Bullard <carter at qosient.com> wrote:
>>>> OK, so your not getting any mechs from argus to negotiate.
>>>> Argus should be sending ra() what algorithms are available,
>>>> so ra() can chose the algorithm it likes. But argus is sending {}.
>>>>
>>>> What is argus saying ? Run argus with -D 2, not in daemon mode,
>>>> and lets see what argus is saying when the SASL turn starts.
>>>>
>>>> Carter
>>>>
>>>> On Jul 16, 2013, at 10:10 PM, Jesse Bowling <jessebowling at gmail.com> wrote:
>>>>
>>>>> Tried this to ensure I was hitting /etc/ra.conf, and set RA_MIN_SSF=40 and RA_MAX_SSF=128
>>>>>
>>>>> /usr/local/bin/ra -S localhost -F /etc/ra.conf -D 10
>>>>>
>>>>> <snip>
>>>>> ra[8822.006799f7ff7f0000]: 22:07:30.984553 RaSaslNegotiate(0x7, 0x7, 0xc35af0) receiving capability list...
>>>>> ra[8822.006799f7ff7f0000]: 22:07:30.984583 RaGetSaslString(0x7, 0xfffbc270, 8184) {}
>>>>> ra[8822.006799f7ff7f0000]: 22:07:30.984596 RaSaslNegotiate(0x7, 0x7, 0xc35af0) calling sasl_client_start()
>>>>> ra[8822.006799f7ff7f0000]: 22:07:30.984864 RaSendSaslString(7, 0x0, 0) (null)
>>>>> ra[8822]: 22:07:30.984888 RaSaslNegotiate: error starting SASL negotiation SASL(-4): no mechanism available: No worthy mechs found
>>>>> ra[8822.006799f7ff7f0000]: 22:07:30.984966 ArgusShutDown (-1)
>>>>> </snip>
>>>>>
>>>>> /etc/sasl2/argus.conf:
>>>>> pwcheck_method: auxprop
>>>>> mech_list: PLAIN LOGIN NTLM CRAM-MD5 DIGEST-MD5
>>>>> auxprop_plugin: sasldb
>>>>>
>>>>> Cheers,
>>>>>
>>>>> Jesse
>>>>>
>>>>>
>>>>>
>>>>> On Tue, Jul 16, 2013 at 5:31 PM, Carter Bullard <carter at qosient.com> wrote:
>>>>> What are the values for RA_MIN_SSF and RA_MAX_SSF in your .rarc file?
>>>>> Possible if you set those to something other than zero, and you may
>>>>> be able to negotiate a mech.
>>>>>
>>>>> Carter
>>>>>
>>>>>
>>>>>
>>>>> On Jul 16, 2013, at 1:06 PM, Jesse Bowling <jessebowling at gmail.com> wrote:
>>>>>
>>>>>> As a followup, I changed my argus.conf to look like:
>>>>>>
>>>>>> pwcheck_method: auxprop
>>>>>> mech_list: DIGEST-MD5
>>>>>> auxprop_plugin: sasldb
>>>>>>
>>>>>> and tried the sample client/server programs like this:
>>>>>>
>>>>>> # sasl2-sample-server -s argus -m digest-md5
>>>>>> $ sasl2-sample-client -s argus -m digest-md5 localhost
>>>>>>
>>>>>> ...provide the authentication/authorization id as before, then the password, and receive a successful authentication.
>>>>>>
>>>>>> However I get the same error with ra client programs when attempting to connect...What am I missing here?
>>>>>>
>>>>>> Cheers,
>>>>>>
>>>>>> Jesse
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Tue, Jul 16, 2013 at 10:42 AM, Jesse Bowling <jessebowling at gmail.com> wrote:
>>>>>> Hi all,
>>>>>>
>>>>>> I'm a SASL noob, and having a hard time getting it configured to work with argus. I've tried setting it up and am getting the following error message:
>>>>>>
>>>>>> rasplit[15301.00c7bc34f77f0000]: 10:27:31.072229 RaSaslNegotiate(0x3, 0x3, 0x27c6d90) receiving capability list...
>>>>>> rasplit[15301.00c7bc34f77f0000]: 10:27:31.072251 RaGetSaslString(0x3, 0x99773830, 8184) {}
>>>>>> rasplit[15301.00c7bc34f77f0000]: 10:27:31.072259 RaSaslNegotiate(0x3, 0x3, 0x27c6d90) calling sasl_client_start()
>>>>>> rasplit[15301.00c7bc34f77f0000]: 10:27:31.072646 RaSendSaslString(3, 0x0, 0) (null)
>>>>>> rasplit[15301]: 10:27:31.072663 RaSaslNegotiate: error starting SASL negotiation SASL(-4): no mechanism available: No worthy mechs found
>>>>>>
>>>>>>
>>>>>> I have the following setup bits, and may of course be missing something simple here:
>>>>>>
>>>>>> /etc/argus.conf:
>>>>>>
>>>>>> ARGUS_MIN_SSF=40
>>>>>> ARGUS_MAX_SSF=128
>>>>>>
>>>>>> /etc/ra.conf
>>>>>>
>>>>>> RA_USER_AUTH="raclient/raclient"
>>>>>> RA_AUTH_PASS="Passwd I set with saslpasswd2 -c -a argus raclient"
>>>>>>
>>>>>> /etc/sasl2/argus.conf:
>>>>>>
>>>>>> pwcheck_method: auxprop
>>>>>> auxprop_plugin: sasldb
>>>>>> mech_list: DIGESTMD5 PLAIN LOGIN CRAMMD5
>>>>>>
>>>>>> # sasldblistusers2:
>>>>>> raclient at host.realm.tld: userPassword
>>>>>>
>>>>>> Pluginviewer output:
>>>>>>
>>>>>> Installed SASL (server side) mechanisms are:
>>>>>> CRAM-MD5 DIGEST-MD5 PLAIN ANONYMOUS LOGIN EXTERNAL
>>>>>> List of server plugins follows
>>>>>> Plugin "crammd5" [loaded], API version: 4
>>>>>> SASL mechanism: CRAM-MD5, best SSF: 0, supports setpass: no
>>>>>> security flags: NO_ANONYMOUS|NO_PLAINTEXT
>>>>>> features: SERVER_FIRST
>>>>>> Plugin "digestmd5" [loaded], API version: 4
>>>>>> SASL mechanism: DIGEST-MD5, best SSF: 128, supports setpass: no
>>>>>> security flags: NO_ANONYMOUS|NO_PLAINTEXT|MUTUAL_AUTH
>>>>>> features: PROXY_AUTHENTICATION
>>>>>> Plugin "plain" [loaded], API version: 4
>>>>>> SASL mechanism: PLAIN, best SSF: 0, supports setpass: no
>>>>>> security flags: NO_ANONYMOUS
>>>>>> features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
>>>>>> Plugin "anonymous" [loaded], API version: 4
>>>>>> SASL mechanism: ANONYMOUS, best SSF: 0, supports setpass: no
>>>>>> security flags: NO_PLAINTEXT
>>>>>> features: WANT_CLIENT_FIRST
>>>>>> Plugin "login" [loaded], API version: 4
>>>>>> SASL mechanism: LOGIN, best SSF: 0, supports setpass: no
>>>>>> security flags: NO_ANONYMOUS
>>>>>> features:
>>>>>> Installed auxprop mechanisms are:
>>>>>> sasldb
>>>>>> List of auxprop plugins follows
>>>>>> Plugin "sasldb" , API version: 4
>>>>>> supports store: yes
>>>>>>
>>>>>> Installed SASL (client side) mechanisms are:
>>>>>> CRAM-MD5 DIGEST-MD5 PLAIN ANONYMOUS LOGIN EXTERNAL
>>>>>> List of client plugins follows
>>>>>> Plugin "crammd5" [loaded], API version: 4
>>>>>> SASL mechanism: CRAM-MD5, best SSF: 0
>>>>>> security flags: NO_ANONYMOUS|NO_PLAINTEXT
>>>>>> features: SERVER_FIRST
>>>>>> Plugin "digestmd5" [loaded], API version: 4
>>>>>> SASL mechanism: DIGEST-MD5, best SSF: 128
>>>>>> security flags: NO_ANONYMOUS|NO_PLAINTEXT|MUTUAL_AUTH
>>>>>> features: PROXY_AUTHENTICATION|NEED_SERVER_FQDN
>>>>>> Plugin "plain" [loaded], API version: 4
>>>>>> SASL mechanism: PLAIN, best SSF: 0
>>>>>> security flags: NO_ANONYMOUS
>>>>>> features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
>>>>>> Plugin "anonymous" [loaded], API version: 4
>>>>>> SASL mechanism: ANONYMOUS, best SSF: 0
>>>>>> security flags: NO_PLAINTEXT
>>>>>> features: WANT_CLIENT_FIRST
>>>>>> Plugin "login" [loaded], API version: 4
>>>>>> SASL mechanism: LOGIN, best SSF: 0
>>>>>> security flags: NO_ANONYMOUS
>>>>>> features: SERVER_FIRST
>>>>>> Plugin "EXTERNAL" [loaded], API version: 4
>>>>>> SASL mechanism: EXTERNAL, best SSF: 0
>>>>>> security flags: NO_ANONYMOUS|NO_PLAINTEXT|NO_DICTIONARY
>>>>>> features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
>>>>>>
>>>>>> Anyone set this up successfully for digest-md5?
>>>>>>
>>>>>> Thanks,
>>>>>>
>>>>>> Jesse
>>>>>>
>>>>>> --
>>>>>> Jesse Bowling
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Jesse Bowling
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Jesse Bowling
>>>>>
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Jesse Bowling
>>>>
>>>
>>>
>>>
>>>
>>> --
>>> Jesse Bowling
>>>
>>
>>
>>
>>
>> --
>> Jesse Bowling
>>
>
>
>
> --
> Jesse Bowling
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6837 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130726/64696846/attachment.bin>
More information about the argus
mailing list