[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Kerberos/LDAP/SASL central authentication server howto
This is a cross-post to Cyrus INFO list. The question raised here is
whether GSS-API and *-MD5 SASL mechanisms secure the entire
communication, not just the authentication phase, thus making SSL/TLS
Tarjei Huse wrote:
>>>?? I didn't know , sorry. Please tell me more on how I can use GSSAPI instead of
>>>tls to secure not only authentication but everything that happens over the
>>It really depends on the client tool. Not only does GSSAPI provide this, DIGEST-MD5
Never heard of this. I was always under the impression that both GSS-API
and *-MD5 methods secured only the authentication, not the entire
channel data transfer.
>>Examples of such tools that I'm 100% aware of are ldapsearch and mutt when doing SASL
>>With ldapsearch, for example:
>>$ ldapsearch -h ldap.server | head -5
>>SASL/GSSAPI authentication started
>>SASL username: andreas@DISTRO.CONECTIVA
>>SASL SSF: 56 <---------- encrypted channel (only 56 bits though)
No. It simply means that authentication type is of SSF (Security
Strength Factor) 56. I'm not sure if the SSF has anything to do with
number of bits used as (some) private key length. Anyway, this is saying
nothing about the rest of the communication, just the authentication part.
>>SASL installing layers
>>$ ldapsearch -h ldap.server -Y digest-md5 | head -5
>>SASL/DIGEST-MD5 authentication started
>>Please enter your password:
>>SASL username: andreas
>>SASL SSF: 128 <---------------------
Again, just the auth phase is covered here.
I'm crossposting to the SASL mailing list in hopes someone can shed some
light on the matter.