Kerberos/LDAP/SASL central authentication server howto
Nikola Milutinovic
Nikola.Milutinovic at ev.co.yu
Tue Aug 10 04:54:27 EDT 2004
This is a cross-post to Cyrus INFO list. The question raised here is
whether GSS-API and *-MD5 SASL mechanisms secure the entire
communication, not just the authentication phase, thus making SSL/TLS
unnecessary.
Tarjei Huse wrote:
>>>?? I didn't know , sorry. Please tell me more on how I can use GSSAPI instead of
>>>tls to secure not only authentication but everything that happens over the
>>>wire.
>>
>>It really depends on the client tool. Not only does GSSAPI provide this, DIGEST-MD5
>>also.
Never heard of this. I was always under the impression that both GSS-API
and *-MD5 methods secured only the authentication, not the entire
channel data transfer.
>>Examples of such tools that I'm 100% aware of are ldapsearch and mutt when doing SASL
>>authentication.
>>
>>With ldapsearch, for example:
>>$ ldapsearch -h ldap.server | head -5
>>SASL/GSSAPI authentication started
>>SASL username: andreas at DISTRO.CONECTIVA
>>SASL SSF: 56 <---------- encrypted channel (only 56 bits though)
No. It simply means that authentication type is of SSF (Security
Strength Factor) 56. I'm not sure if the SSF has anything to do with
number of bits used as (some) private key length. Anyway, this is saying
nothing about the rest of the communication, just the authentication part.
>>SASL installing layers
>>(...)
>>
>>With digest-md5:
>>$ ldapsearch -h ldap.server -Y digest-md5 | head -5
>>SASL/DIGEST-MD5 authentication started
>>Please enter your password:
>>SASL username: andreas
>>SASL SSF: 128 <---------------------
Again, just the auth phase is covered here.
I'm crossposting to the SASL mailing list in hopes someone can shed some
light on the matter.
Nix.
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
More information about the Info-cyrus
mailing list