Q: using SASL_SSF_EXTERNAL - seeing unexpected behavior
Ken Giusti
kgiusti at gmail.com
Fri Sep 18 11:07:22 EDT 2009
Hi all,
I'm trying to use SASL_SSF_EXTERNAL to account for the security mechanism
provided by our transport layer (SSL). I'm trying the following test:
1) set the SASL_SFF_EXTERNAL to 90 on both server and client. (yeah, 90 is
arbitrary, but I wanted it to be > 56 for the test).
2) set the min-ssf to 10 on the client and the server
3) specify the GSSAPI mechanism and attempt to authenticate....
I don't understand the resulting behaviour. I'm a noob, so I was hoping
someone could clarify this for me...
On the server side, I see the authentication take place:
2009-09-18 10:59:29 info SETTING SSF EXTERNAL = 90
2009-09-18 10:59:29 info SASL: Mechanism list: ANONYMOUS PLAIN DIGEST-MD5
LOGIN GSSAPI CRAM-MD5
2009-09-18 10:59:29 info SASL: Starting authentication with mechanism:
GSSAPI
2009-09-18 10:59:29 info SASL: Authentication succeeded for:
testuser at EXAMPLE.COM
However, an SSF of 56 gets negotiated (I'm assuming this is supplied by
GSSAPI):
2009-09-18 10:59:29 info getprop SSF: 56
2009-09-18 10:59:29 info Installing security layer, SSF: 56
Since the external ssf is already stronger than the GSSAPI security layer, I
was expecting that the external ssf would take precedence, and keep GSSAPI
encryption from happening. Instead, it seems like the external ssf factor
is ignored, and I end up double encrypting (once at TLS, once at sasl).
Sorry if this is an obvious question - I'm new to this and can't find an
answer elsewhere...
BTW, I'm using rev 2.1.22 of cyrus sasl (from fedora core 11).
thanks!
--
Ken Giusti (kgiusti at gmail.com)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/attachments/20090918/f5cd63b2/attachment.html
More information about the Cyrus-sasl
mailing list