[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Kerberos/LDAP/SASL central authentication server howto



This is a cross-post to Cyrus INFO list. The question raised here is 
whether GSS-API and *-MD5 SASL mechanisms secure the entire 
communication, not just the authentication phase, thus making SSL/TLS 
unnecessary.

Tarjei Huse wrote:

>>>?? I didn't know , sorry. Please tell me more on how I can use GSSAPI instead of
>>>tls to secure not only authentication but everything that happens over the
>>>wire.
>>
>>It really depends on the client tool. Not only does GSSAPI provide this, DIGEST-MD5
>>also.

Never heard of this. I was always under the impression that both GSS-API 
and *-MD5 methods secured only the authentication, not the entire 
channel data transfer.

>>Examples of such tools that I'm 100% aware of are ldapsearch and mutt when doing SASL
>>authentication.
>>
>>With ldapsearch, for example:
>>$ ldapsearch -h ldap.server | head -5
>>SASL/GSSAPI authentication started
>>SASL username: andreas@DISTRO.CONECTIVA
>>SASL SSF: 56  <---------- encrypted channel (only 56 bits though)

No. It simply means that authentication type is of SSF (Security 
Strength Factor) 56. I'm not sure if the SSF has anything to do with 
number of bits used as (some) private key length. Anyway, this is saying 
nothing about the rest of the communication, just the authentication part.

>>SASL installing layers
>>(...)
>>
>>With digest-md5:
>>$ ldapsearch -h ldap.server -Y digest-md5 | head -5
>>SASL/DIGEST-MD5 authentication started
>>Please enter your password:
>>SASL username: andreas
>>SASL SSF: 128  <---------------------

Again, just the auth phase is covered here.

I'm crossposting to the SASL mailing list in hopes someone can shed some 
light on the matter.

Nix.