Kerberos/LDAP/SASL central authentication server howto

Ken Murchison ken at oceana.com
Tue Aug 10 08:50:24 EDT 2004 

Nikola Milutinovic wrote:

> This is a cross-post to Cyrus INFO list. The question raised here is 
> whether GSS-API and *-MD5 SASL mechanisms secure the entire 
> communication, not just the authentication phase, thus making SSL/TLS 
> unnecessary.

Both GSSAPI (Kerberos 5) and DIGEST-MD5 have the ability to negotiate 
integrity and/or privacy (encryption) layers which are in effect for the 
entire connection.


> 
> Tarjei Huse wrote:
> 
>>>> ?? I didn't know , sorry. Please tell me more on how I can use 
>>>> GSSAPI instead of
>>>> tls to secure not only authentication but everything that happens 
>>>> over the
>>>> wire.
>>>
>>>
>>> It really depends on the client tool. Not only does GSSAPI provide 
>>> this, DIGEST-MD5
>>> also.
> 
> 
> Never heard of this. I was always under the impression that both GSS-API 
> and *-MD5 methods secured only the authentication, not the entire 
> channel data transfer.
> 
>>> Examples of such tools that I'm 100% aware of are ldapsearch and mutt 
>>> when doing SASL
>>> authentication.
>>>
>>> With ldapsearch, for example:
>>> $ ldapsearch -h ldap.server | head -5
>>> SASL/GSSAPI authentication started
>>> SASL username: andreas at DISTRO.CONECTIVA
>>> SASL SSF: 56  <---------- encrypted channel (only 56 bits though)
> 
> 
> No. It simply means that authentication type is of SSF (Security 
> Strength Factor) 56. I'm not sure if the SSF has anything to do with 
> number of bits used as (some) private key length. Anyway, this is saying 
> nothing about the rest of the communication, just the authentication part.
> 
>>> SASL installing layers
>>> (...)
>>>
>>> With digest-md5:
>>> $ ldapsearch -h ldap.server -Y digest-md5 | head -5
>>> SASL/DIGEST-MD5 authentication started
>>> Please enter your password:
>>> SASL username: andreas
>>> SASL SSF: 128  <---------------------
> 
> 
> Again, just the auth phase is covered here.
> 
> I'm crossposting to the SASL mailing list in hopes someone can shed some 
> light on the matter.
> 
> Nix.
> ---
> Cyrus Home Page: http://asg.web.cmu.edu/cyrus
> Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
> 


-- 
Kenneth Murchison     Oceana Matrix Ltd.
Software Engineer     21 Princeton Place
716-662-8973 x26      Orchard Park, NY 14127
--PGP Public Key--    http://www.oceana.com/~ken/ksm.pgp
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

More information about the Info-cyrus mailing list