Q: using SASL_SSF_EXTERNAL - seeing unexpected behavior

Ken Giusti kgiusti at gmail.com
Fri Sep 18 11:07:22 EDT 2009


Hi all,

I'm trying to use SASL_SSF_EXTERNAL to account for the security mechanism
provided by our transport layer (SSL).   I'm trying the following test:

1) set the SASL_SFF_EXTERNAL to 90 on both server and client. (yeah, 90 is
arbitrary, but I wanted it to be > 56 for the test).
2) set the min-ssf to 10 on the client and the server
3) specify the GSSAPI mechanism and attempt to authenticate....

I don't understand the resulting behaviour.  I'm a noob, so I was hoping
someone could clarify this for me...

On the server side, I see the authentication take place:

2009-09-18 10:59:29 info SETTING SSF EXTERNAL = 90
2009-09-18 10:59:29 info SASL: Mechanism list: ANONYMOUS PLAIN DIGEST-MD5
LOGIN GSSAPI CRAM-MD5
2009-09-18 10:59:29 info SASL: Starting authentication with mechanism:
GSSAPI
2009-09-18 10:59:29 info SASL: Authentication succeeded for:
testuser at EXAMPLE.COM

However, an SSF of 56 gets negotiated (I'm assuming this is supplied by
GSSAPI):

2009-09-18 10:59:29 info getprop SSF: 56
2009-09-18 10:59:29 info Installing security layer,  SSF: 56

Since the external ssf is already stronger than the GSSAPI security layer, I
was expecting that the external ssf would take precedence, and keep GSSAPI
encryption from happening.  Instead, it seems like the external ssf factor
is ignored, and I end up double encrypting (once at TLS, once at sasl).

Sorry if this is an obvious question - I'm new to this and can't find an
answer elsewhere...

BTW, I'm using rev 2.1.22 of cyrus sasl (from fedora core 11).


thanks!

-- 
Ken Giusti  (kgiusti at gmail.com)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/attachments/20090918/f5cd63b2/attachment.html 


More information about the Cyrus-sasl mailing list