Cyrus SASL for System Administrators

This document covers configuring SASL for system administrators, specifically those administrators who are installing a server that uses the Cyrus SASL library.

What SASL is

SASL, the Simple Authentication and Security Layer, is a generic mechanism for protocols to accomplish authentication. Since protocols (such as SMTP or IMAP) use SASL, it is a natural place for code sharing between applications. Some notable applications that use the Cyrus SASL library include Sendmail (versions 8.10.0 and higher) and Cyrus imapd (versions 1.6.0 and higher).

Applications use the SASL library to tell them how to accomplish the SASL protocol exchange, and what the results were.

SASL is only a framework: specific SASL mechanisms govern the exact protocol exchange. If there are n protocols and m different ways of authenticating, SASL attempts to make it so only n plus m different specifications need be written instead of n times m different specifications. With the Cyrus SASL library, the mechanisms need only be written once, and they'll work with all servers that use it.

Authentication and authorization identifiers

An important concept to become familiar with is the difference between an "authorization identifier" and an "authentication identifier".

userid (user id, authorization id): The userid is the identifier an application uses to check allowable options. On my Unix system, the user "bovik" (the account of Harry Q. Bovik) is allowed to write to "/home/bovik" and it's subdirectories but not to "/etc".
authid (authentication id): The authentication identifier is the identifier that is being checked. "bovik"'s password might be "qqqq", and the system will authenticate anyone who knows "qqqq" as "bovik". However, it's possible to authenticate as one user but act as another user. For instance, Harry might be away on vacation and assign one of his graduate students, Jane, to read his mail. He might then allow Jane to act as him merely by supplying her password and her id as authentication but requesting authorization as "bovik". So Jane might log in with an authentication identifier of "jane" and an authorization id of "bovik" and her own (Jane's) password.

Applications can set their own proxy policies; by default, the SASL library will only allow the same user to act for another (that is, userid must equal authid).

Realms

The Cyrus SASL library supports the concept of "realms". A realm is an abstract set of users and certain mechanisms authenticate users in a certain realm.

In the simplest case, a single server on a single machine, the realm might be the fully-qualified domain name of the server. If the applications don't specify a realm to SASL, most mechanisms will default to this.

If a site wishes to share passwords between multiple machines, it might choose it's authentication realm as a domain name, such as "CMU.EDU". On the other hand, in order to prevent the entire site's security from being compromised when one machine is compromised, each server could have it's own realm. Certain mechanisms force the user (client side) to manually configure what realm they're in, making it harder for users to authenticate.

A single site might support multiple different realms. This can confuse applications that weren't written in anticipation of this; make sure your application can support it before adding users from different realms into sasldb with saslpasswd.

The Kerberos mechanisms treat the SASL realm as the Kerberos realm. Thus, the realm for Kerberos mechanisms defaults to the default Kerberos realm on the server. They may support cross-realm authentication; check your application on how it deals with this.

How SASL works

How SASL works is governed by what mechanism the client and server choose to use and the exact implementation of that mechanism. This section describes the way these mechanisms act in the Cyrus SASL implementation.

The PLAIN mechanism, `sasl_checkpass()`, and plaintext passwords

The PLAIN mechanism is not a secure method of authentication by itself. It is intended for connections that are being encrypted by another level. (For example, the IMAP command "STARTTLS" creates an encrypted connection over which PLAIN might be used.) The PLAIN mechanism works by transmitting a userid, an authentication id, and a password to the server, and the server then determines whether that is an allowable triple.

The principal concern for system administrators is how the authentication and password are verified. The Cyrus SASL library is flexible in this regard:

auxprop

checks passwords agains the userPassword attribute supplied by an auxilliary property plugin. For example, SASL ships with a sasldb auxilliary property plugin, that can be used to authenticate against the passwords stored in /etc/sasldb2. Since other mechanisms also use this method of checking their passwords, using this method will allow SASL to provide a uniform password database to a large number of mechanisms.

saslauthd

contacts the saslauthd daemon to to check passwords using a variety of mechanisms. You can compile support for saslauthd using the --with-saslauthd configure option. More information can be found in saslauthd(8). Once you configure saslauthd, there is a testsaslauthd program that can be built with make testsaslauthd in the saslauthd directory, that can check to ensure that the saslauthd daemon is installed and running properly.

pwcheck

checks passwords with the use of a separate, helper daemon. This feature is for backwards-compatibility only, and new installations should use saslauthd.

write your own

Last, but not least, the most flexible method of authentication for PLAIN is to write your own. If you do so, any application that calls the "sasl_checkpass()" routine or uses PLAIN will invoke your code. The easiest place to modify the plaintext authentication routines is to modify the routine "_sasl_checkpass()" in the file lib/server.c to support a new method, and to add that method to lib/checkpw.c. Be sure to add a prototype in lib/saslint.h!

It is important to note however that currently the more flexible/preferred method is to create a new saslauthd mechanism.

The LOGIN mechanism (not to be confused with IMAP4's LOGIN command) is an undocumented, unsupported mechanism. It's included in the Cyrus SASL distribution for the sake of SMTP servers that might want to interoperate with old clients. Do not enable this mechanism unless you know you're going to need it. When enabled, it verifies passwords the same way the PLAIN mechanism does.

Shared secrets mechanisms

The Cyrus SASL library also supports some "shared secret" authentication methods: CRAM-MD5 and its successor DIGEST-MD5. These methods rely on the client and the server sharing a "secret", usually a password. The server generates a challenge and the client a response proving that it knows the shared secret. This is much more secure than simply sending the secret over the wire proving that the client knows it.

There's a downside: in order to verify such responses, the server must keep passwords or password equivalents in a database; if this database is compromised, it is the same as if all the passwords for the realm are compromised.

For simplicity sake, the Cyrus SASL library stores plaintext passwords only in the /etc/sasldb2 database. These passwords are then shared among all mechanisms which choose to use it. Depending on the exact database method used (gdbm, ndbm, or db) the file may have different suffixes or may even have two different files ("sasldb.dir" and "sasldb.pag"). It is also possible for a server to define it's own way of storing authentication secrets. Currently, no application is known to do this.

The principle problem for a system administrator is to make sure that sasldb is properly protected; only the servers that need to read it to verify passwords should be able to. If there are any normal shell users on the system, they must not be able to read it.

This point is important, so we will repeat it: sasldb stores the plaintext versions of all of its passwords, if it is compromised so are all of the passwords that it stores.

Managing password changes is outside the scope of the library. However, system administrators should probably make a way of letting user's change their passwords available to users. The "saslpasswd" utility is provided to change the secrets in sasldb. It does not affect PAM, /etc/passwd, or any other standard system library; it only affects secrets stored in sasldb.

Finally, system administrators should think if they want to enable "auto_transition". If set, the library will automatically create secrets in sasldb when a user uses PLAIN to successfully authenticate. However, this means that the individual servers, such as imapd, need read/write access to sasldb, not just read access. By default, "auto_transition" is set to false; set it to true to enable. (There's no point in enabling this option if "pwcheck_method" is "sasldb".)

Kerberos mechanisms

The Cyrus SASL library also comes with two mechanisms that make use of Kerberos: KERBEROS_V4, which should be able to use any Kerberos v4 implementation, and GSSAPI (tested against MIT Kerberos 5 and Heimdal Kerberos 5). These mechanisms make use of the kerberos infrastructure and thus have no password database.

Applications that wish to use a kerberos mechanism will need access to a service key, stored either in a "srvtab" file (Kerberos 4) or a "keytab" file (Kerberos 5). Currently, the keytab file location is not configurable and defaults to the system default (probably /etc/krb5.keytab).

The Kerberos 4 srvtab file location is configurable; by default it is /etc/srvtab, but this is modifiable by the "srvtab" option. Different SASL applications can use different srvtab files.

A SASL application must be able to read its srvtab or keytab file.

You may want to consult the GSSAPI Tutorial.

The OTP mechanism

The Cyrus SASL library also supports the One-Time-Password (OTP) mechanism. This mechanism is similar to CRAM-MD5 and DIGEST-MD5 in that is uses a shared secret and a challenge/response exchange. However, OTP is more secure than the other shared secret mechanisms in that the secret is used to generate a sequence of one-time (single use) passwords which prevents reply attacks, and that secret need not be stored on the system. These one-time passwords are stored in the /etc/sasldb2 database. See the Shared secrets mechanisms section for a discussion of the /etc/sasldb2 database.

OTP via OPIE

For sites with an existing OTP infrastructure using OPIE, Cyrus SASL can be configured to use OPIE v2.4 instead of using its own database and server-side routines. OPIE should be configured with the --disable-user-locking option if the SASL server application will not be running as "root".

OPIE uses its own "opiekeys" database for storing the data necessary for generating the server challenges. The location of the opiekeys file is configurable in SASL; by default it is /etc/opiekeys, but this is modifiable by the "opiekeys" option.

A SASL server application must be able to read and write the opiekeys file.

How to set configuration options

The Cyrus SASL library comes with a built-in configuration file reader. However, it is also possible for applications to redefine where the library gets it's configuration options from.

The default configuration file

By default, the Cyrus SASL library reads it's options from /usr/lib/sasl/App.conf (where "App" is the application defined name of the application). For instance, Sendmail reads it's configuration from "/usr/lib/sasl/Sendmail.conf" and the sample server application included with the library looks in "/usr/lib/sasl/sample.conf".

A standard Cyrus SASL configuration file looks like:

srvtab: /var/app/srvtab
pwcheck_method: saslauthd

Application configuration

Applications can redefine how the SASL library looks for configuration information. Check your application's documentation for specifics.

For instance, Cyrus imapd reads its sasl options from it's own configuration file, /etc/imapd.conf, by prepending all SASL options with "sasl_": the SASL option "pwcheck_method" is set by changing "sasl_pwcheck_method" in /etc/imapd.conf. Check your application's documentation for more information.

Compiling and installing the library

what configure options to use?

don't install a mechanism you aren't going to use.

use --disable-krb4 and --disable-gssapi if you aren't a kerberos site.

use --disable-cram and --disable-digest if you can't use shared secret mechanisms.

need pwcheck? use --enable-pwcheck

other stuff

what can go wrong with shared libraries?

make sure to make the /usr/lib/sasl symbolic link.

canon_user plugin selection: uses canon_user_plugin option

Unfortunately, since SASL is very flexible (allowing administrators to upgrade and install new authentication plugins without recompiling any applications) its flexibility can also make it a chore to compile.

I'll have some sage advice here when I find some.

Troubleshooting

Q: Why doesn't KERBEROS_V4 doesn't appear as an available mechanism?

A: Check that the srvtab file is readable by the user running as the daemon. For Cyrus imapd, it must be readable by the Cyrus user. By default, the library looks for the srvtab in /etc/srvtab, but it's configurable using the srvtab option.

Q: Why doesn't OTP doesn't appear as an available mechanism?

A: If using OPIE, check that the opiekeys file is readable by the user running the daemon. For Cyrus imapd, it must be readable by the Cyrus user. By default, the library looks for the opiekeys in /etc/opiekeys, but it's configurable using the opiekeys option.

Q: Why don't CRAM-MD5 and DIGEST-MD5 work with my old sasldb?

A: Because sasldb now stores plaintext passwords only, the old sasldb is completely incompatible.

Q: Is LOGIN supported?

A: The LOGIN mechanism is a non-standard, undocumented plaintext mechanism. It's included in the SASL distribution purely for sites that need it to interoperate with old clients; we don't support it. Don't enable it unless you know you need it.

Q: How can I get a non-root application to check plaintext passwords?

A: Try using the "pwcheck" daemon and setting "pwcheck_method" to "pwcheck". Alternatively, you can use the saslauthd daemon. You'll have to run configure with the --with-pwcheck or --with-saslauthd option respectively.

Q: I want to use Berkeley DB, but it's installed in /usr/local/BerkeleyDB.3.1 and configure can't find it.

A: Try setting "CPPFLAGS" and "LDFLAGS" environment variables before running configure, like so:

env CPPFLAGS="-I/usr/local/BerkeleyDB.3.1/include" \
  LDFLAGS="-L/usr/local/BerkeleyDB.3.1/lib -R/usr/local/BerkeleyDB.3.1/lib" \
  ./configure --with-dblib=berkeley

Q: Is there a mailing list to discuss the Cyrus SASL library?

A: cyrus-sasl@lists.andrew.cmu.edu is available for discussion. To subscribe, send a message to majordomo@lists.andrew.cmu.edu with the body of 'subscribe cyrus-sasl'.

An archive is available via

anonymous IMAP at imap://cyrus.andrew.cmu.edu/archive.cyrus-sasl.
HTTP at http://asg.web.cmu.edu/archive/mailbox.php3?mailbox=archive.cyrus-sasl

Note: If you are not subscribed, your posts go through human approval before they go out to the list and so posting may be (greatly) delayed.

Back to the index