[PATCH][saslauthd] cyrus-sasl-2.1.10/saslauthd credential caching
Paul M Fleming
pfleming at siumed.edu
Wed Jan 15 11:41:23 EST 2003
I have a comment. From the readme:
1) The entry was not found, but was created for future lookups.
2) The entry was found, but the password in the cache didn't match the
supplied password. In this case, the password in the cache is
updated with
the supplied password for future lookups.
Being paranoid, another call after a successful login is a safer way of
implementing this. As it sits, it is possible to hammer saslauthd w/
requests and I could get successfully authenticated w/ a bogus password
if I can get a request in between the time the cache entry is added and
the actual authentication occurs and the cached entry is purged. This is
VERY easy to do with auth backends w/ long time outs or worse yet a
denial of service against the auth backend could give me windows of
access..
check cache (don't add)
if cache_ok
return sucess
else
check auth backend
if backend successs
add to cache
return success
Just my two cents.. Nice work Jeremy.. you saved me a few days worth ;-)
Jeremy Rumpf wrote:
>
> All,
>
> I've been working on combining some of the ideas for a credential caching
> layer into saslauthd. This is the first release for review/comments/testing.
>
> Changes:
>
> Three files have been added to the saslauthd package:
>
> cache.c
> cache.h
> README.cache
> saslcache.c
>
> Four files have been modified
>
> Makefile.am
> Makefile.in
> saslauthd-doors.c
> saslauthd-unix.c
>
> The saslauthd executable now accepts three new command line switches.
>
> -c Enables the credential cache
> -s Sets the size of the credential cache in kilobytes
> -t Sets the timeout of items in the credential cache in seconds
>
> A show_usage() function has been added that dumps all possible options out
> when an invalid command line switch is found:
>
> ./saslauthd: invalid option -- -
> usage: saslauthd [options]
>
> option information:
> -a <authmech> Selects the authentication mechanism to use.
> -c Enable credential caching.
> -d Enables debugging, run in the foreground.
> -O <option> Optional argument to pass to the authentication
> mechanism.
> -m <path> Alternate path for the mux socket, must be absolute.
> -n <threads> Number of worker threads to create
> -s <kilobytes> Size of the credential cache (in kilobytes)
> -t <seconds> Timeout for items in the credential cache (in seconds)
> -T Honor time-of-day login restrictions.
> -v Display version information and available
> authentication mechanisms and exit.
>
> The caching layer caches the username, realm, service, and an md5 hash of the
> passwords for all authentication mechanisms (LDAP, rimap, PAM, etc). It's
> been tested it on RedHat 7.2 Alpha and RedHat 7.3 Intel. I've also only been
> able to compile the modifications using the unix IPC option
> (saslauthd-unix.c). The same modifications have been made to the doors IPC
> option (saslauthd-doors.c), but have not been compiled or tested. More
> detailed information about the cache is in the README.cache file.
>
> In addition to testsaslauthd, a second utility is included, saslcache. The
> saslcache utility can be used to attach to the shared memory segment and
> perform various tasks. The saslcache utility can be built by:
>
> cd saslauthd
> make saslcache
>
> Usage examples:
>
> ./saslcache -s dumps out some information about the cache
>
> ----------------------------------------
> Saslauthd Cache Detail:
>
> timeout (seconds) : 28800
> total slots allocated : 3643
> slots in use : 3
> total buckets : 21858
> buckets per slot : 6
> buckets in use : 3
> hash table size (bytes) : 2098536
> bucket size (bytes) : 96
> minimum slot allocation : 0
> maximum slot allocation : 1
> slots at maximum allocation : 3
> slots at minimum allocation : 3640
> overall hash table load : 0.00
>
> hits* : 19
> misses* : 3
> total lookup attempts* : 22
> hit ratio* : 86.36
> ----------------------------------------
> * May not be completely accurate
> ----------------------------------------
>
> ./saslcache -d dumps the contents of the cache in a csv format
>
> "user","realm","service","created","created_localtime"
> "m3","","imap","1042513583","Mon Jan 13 22:06:23 2003"
> "m2","","imap","1042513256","Mon Jan 13 22:00:56 2003"
> "m1","","imap","1042513355","Mon Jan 13 22:02:35 2003"
>
> ./saslcache -f purges/deletes all entries in the cache
>
> 21858 entries purged
>
> Todo:
>
> Test the doors IPC stuff.
> Test on alternate OSs (only linux so far)
> Have someone help with the autoconf stuff. I'm not very familiar with autoconf
> and modeled the modifications after those for testsaslauthd. I'm not sure if
> they're entirely correct.
>
> For testing one should probably run saslauthd with the -d switch. The cache
> will log information to syslog (LOG_INFO|LOG_AUTH). Optionally, one could use
> the saslcache utility.
>
> Log Example:
>
> saslauthd[27772]: cache_lookup: user=m2 realm= service=imap: not found, entry
> created
> saslauthd[27772]: OK: user=m2 service=imap realm=
> saslauthd[27772]: cache_lookup: user=m2 realm= service=imap: found with valid
> passwd
> saslauthd[27772]: OK: user=m2 service=imap realm=
> saslauthd[20673]: cache_lookup: user=m2 realm= service=imap: found with
> invalid passwd, passwd synced
> saslauthd[20673]: cache_purge : prior lookup purged
> saslauthd[20673]: AUTHFAIL: user=m2 service=imap realm=
>
> Anyhow, if anyone wants to give it a whirl. Here's a first patch attempt
> against cyrus-sasl-2.1.10:
>
> ftp://ftp.net.ohio-state.edu/pub/users/jrumpf/cyrus-sasl/cyrus-sasl-2.1.10-cache-1.patch
>
> Or, a fully patched tar of cyrus-sasl-2.1.10 at:
>
> ftp://ftp.net.ohio-state.edu/pub/users/jrumpf/cyrus-sasl/cyrus-sasl-2.1.10-cache-1.tar.gz
>
> Feedback welcome...
>
> Cheers,
> Jeremy
More information about the Info-cyrus
mailing list