-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
8a8e5fc
commit 6131885
Showing
38 changed files
with
136 additions
and
292 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -6,10 +6,10 @@ This article assumes that you have read and followed the SASL chapter of the `Op | |
To verify that you have the Cyrus :ref:`GSSAPI <gssapi>` mechanism properly installed, use the pluginviewer command. For instance:: | ||
|
||
server:~# pluginviewer | grep -i gssapi | ||
CRAM-MD5 PLAIN GSSAPI OTP DIGEST-MD5 ANONYMOUS LOGIN EXTERNAL | ||
CRAM-MD5 PLAIN GSSAPI OTP ANONYMOUS LOGIN EXTERNAL | ||
Plugin "gssapiv2" [loaded], API version: 4 | ||
SASL mechanism: GSSAPI, best SSF: 56, supports setpass: no | ||
CRAM-MD5 PLAIN GSSAPI OTP DIGEST-MD5 ANONYMOUS LOGIN EXTERNAL | ||
CRAM-MD5 PLAIN GSSAPI OTP ANONYMOUS LOGIN EXTERNAL | ||
Plugin "gssapiv2" [loaded], API version: 4 | ||
SASL mechanism: GSSAPI, best SSF: 56 | ||
|
||
|
@@ -19,7 +19,6 @@ On your client system, search the Root DSE of the server to view advertised mech | |
|
||
client:~# ldapsearch -LLL -x -H ldap://ldap.example.org -s "base" -b "" supportedSASLMechanisms | ||
dn: | ||
supportedSASLMechanisms: DIGEST-MD5 | ||
supportedSASLMechanisms: GSSAPI | ||
supportedSASLMechanisms: OTP | ||
supportedSASLMechanisms: CRAM-MD5 | ||
|
@@ -35,7 +34,7 @@ For more control over how the SASL library operates within the OpenLDAP? server, | |
For instance, if you create /usr/lib/sasl2/slapd.conf (assuming that is the correct location on your system) with the following contents:: | ||
|
||
keytab: /etc/krb5.keytab-ldap | ||
mech_list: CRAM-MD5 DIGEST-MD5 GSSAPI | ||
mech_list: CRAM-MD5 GSSAPI | ||
|
||
then the server will search within /etc/krb5.keytab-ldap when initializing the GSSAPI plugin. The server will only offer the mechanisms listed in mech_list. If mech_list is not specified, the server will offer all the mechanisms available, and that it can initialize. | ||
|
||
|
@@ -46,7 +45,6 @@ Once you have verified that the server is advertising GSSAPI support, then try:: | |
SASL username: host/[email protected] | ||
SASL SSF: 56 SASL data security layer installed. | ||
dn: | ||
supportedSASLMechanisms: DIGEST-MD5 | ||
supportedSASLMechanisms: GSSAPI | ||
supportedSASLMechanisms: OTP | ||
supportedSASLMechanisms: CRAM-MD5 | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,20 +1,13 @@ | ||
Why does CyrusSasl store plaintext passwords in its databases? | ||
-------------------------------------------------------------- | ||
|
||
To operate with the CRAM-MD5, DIGEST-MD5 and SCRAM mechanisms, Cyrus SASL | ||
To operate with the CRAM-MD5 and SCRAM mechanisms, Cyrus SASL | ||
stores plaintext versions of the passwords in its secret database (an | ||
AuxpropPlugin). | ||
|
||
This is typically regarded as insecure practice, however the alternative | ||
is not much better. For CRAM-MD5, DIGEST-MD5 and SCRAM to function, they must | ||
is not much better. For CRAM-MD5 and SCRAM to function, they must | ||
have a plaintext equivalent locally in order to confirm the hash that | ||
actually goes across a wire. This, if these equivalents were | ||
compromised, it is trivially easy for an attacker to have access to any | ||
account on the system. | ||
|
||
Note that for DIGEST-MD5 this isn't strictly true: the hash that DIGEST | ||
can use limits the attack to only the realm for which the password | ||
applies, but this is a questionable security gain for the increased | ||
management hassles (you can't share them between mechanisms) that the | ||
plaintext equivalents cause. | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.