National Center for Supercomputing Applications MyProxy Credential Management Service University of Illinois at Urbana-Champaign

[Valid HTML 4.01]
[Valid CSS]
[Valid Atom 1.0]

(OSI Certified)

SASL stands for Simple Authentication and Security Layer. Via SASL, MyProxy can support a variety of standard authentication protocols (like Kerberos). MyProxy SASL support has been tested with the GSSAPI (Kerberos) and PLAIN (password) mechanisms as documented below. Cyrus SASL supports additional authentication mechanisms. If you experiment with other mechanisms, please report your experiences on the myproxy-users list. MyProxy also supports external authentication via PAM.

For MyProxy SASL authentication to succeed, the authenticated SASL username must match the requested MyProxy username.

Contents

Using SASL with the MyProxy CA

MyProxy can be configured to act as a Certificate Authority to issue credentials to users authenticated via SASL. For more information, please see the MyProxy CA documentation.

Unencrypted Credentials

To use SASL for authentication to retrieve credentials stored in the MyProxy repository, it is simplest to store unencrypted credentials, via the --no-passphrase argument (equivalent to -n) to myproxy-init or myproxy-admin-adduser. Otherwise, users will need to provide the credential passphrase to decrypt stored credentials in addition to authenticating via SASL.

Enabling MyProxy's SASL Support

  1. Install a recent Cyrus SASL release. Linux distributions typically include Cyrus SASL packages configured appropriately for the distribution. Using the packages provided by your distribution is recommend. Otherwise, you can obtain the Cyrus SASL library directly from CMU. Installing the SASL plugin libraries in /usr/lib/sasl2 is recommended. Make sure $SASL_PATH is unset if using /usr/lib/sasl2 and set to the correct plugin library directory otherwise. Beware that globus-user-env.* sets $SASL_PATH.
  2. For Kerberos support, install the Kerberos header files and shared libraries, including the Kerberos GSSAPI library (libgssapi_krb5.so). On RedHat Linux, they are provided by the krb5-devel RPM.
  3. Install the Globus Toolkit. The best method is to follow the instructions for building and installing only MyProxy using the Globus Toolkit. Any version of the Globus Toolkit compatible with MyProxy (currently GT 2.4 or later) should work. An installation that does not include the Globus MDS is preferred, as the Globus MDS uses an older version of the SASL libraries that can conflict with the MyProxy SASL build. Be sure to obtain X.509 user and host credentials before proceeding.
  4. Download the latest MyProxy release and run

    gpt-build CONFIGOPTS_GPTMACRO="--with-sasl2=/usr --with-kerberos5=/usr/kerberos" -force -verbose gcc32dbg myproxy-*.tar.gz

    changing the flavor and sasl2/kerberos5 install paths as appropriate. Include --with-kerberos5 in the above command only if you want to support Kerberos authentication. Also, please don't use a threaded (thr) flavor.
  5. You can verify that SASL support was compiled in to MyProxy by looking for "SASL" in the version string:
     
      $ myproxy-server -V
      myproxy-server version MYPROXYv2 (v3.5 14 Mar 2006 PAM SASL KRB5) 
      $ myproxy-logon -V
      myproxy-logon version MYPROXYv2 (v3.5 14 Mar 2006 PAM SASL KRB5)
    
    SASL must be supported by both the client and the server to be used successfully.

Configuring MyProxy's SASL Support

By default, SASL support is disabled in MyProxy. To enable it, add a sasl policy statement in the myproxy-server.config (which is usually in /etc or $GLOBUS_LOCATION/etc):

sasl "disabled"
SASL authentication isn't used. (default)
sasl "sufficient"
SASL authentication is sufficient for retrieving credentials, but other authentication methods (such as PAM or credential passphrase) may be used instead.
sasl "required"
SASL authentication is required for retrieving credentials.

Configuring SASL

  • For Kerberos authentication:
    1. Create /usr/lib/sasl2/myproxy.conf (or $SASL_PATH/myproxy.conf) containing:

      mech_list: gssapi

      and verify that /usr/lib/sasl2/libgssapiv2.so (or $SASL_PATH/libgssapiv2.so) is installed.
    2. Add a myproxy/host service key to your Kerberos keytab file using kadmin. Use klist to verify the service key has been successfully installed. For example:
      pkilab2:~# klist -k /etc/krb5.keytab
      Keytab name: FILE:/etc/krb5.keytab
      KVNO Principal
      ---- --------------------------------------------------------------------------
         2 host/pkilab2.ncsa.uiuc.edu@NCSA.EDU
         2 myproxy/pkilab2.ncsa.uiuc.edu@NCSA.EDU
            

    Rather than configuring SASL for PAM, we recommend configuring MyProxy to support PAM directly.

  • For PAM authentication (OTP, Radius, LDAP, etc.):
    1. Create /usr/lib/sasl2/myproxy.conf (or $SASL_PATH/myproxy.conf) containing:

      mech_list: plain
      pwcheck_method: saslauthd

      The plain mechanism implements simple username / password PAM authentication. It does not implement challenge / response PAM authentication.
    2. Then run

      saslauthd -a pam

      Alternatively, for RedHat Linux, you just need to set MECH=pam in /init.d/saslauthd and run

      /sbin/service saslauthd start

    3. Then, create /etc/pam.d/myproxy for your local preferred mechanisms. For example, when using PAM Radius authentication to an OTP server, you may have a configuration like the following:

      #%PAM-1.0
      auth required pam_radius_auth.so
      account required pam_stack.so service=system-auth
      password required pam_stack.so service=system-auth

      Your PAM authentication module should come with documentation on how to configure PAM system services. The MyProxy PAM configuration should be the same as for other system services like sshd.

Troubleshooting

  1. Does the output of myproxy-server -V and myproxy-logon -V include "SASL"?
  2. Is $SASL_PATH set? (Check both client and server.) It must not be set to $GLOBUS_LOCATION/lib/sasl, as that's a SASLv1 directory, not SASLv2. If not set, MyProxy will use the default path (/usr/lib/sasl2). The value of $SASL_PATH is included in the myproxy-logon verbose output and the myproxy-server debug output.
  3. Is /usr/lib/sasl2/myproxy.conf or $SASL_PATH/myproxy.conf configured?
  4. For Kerberos, does your keytab file include a myproxy/host service key?
  5. Is the necessary SASL mechanism library installed in /usr/lib/sasl2 or $SASL_PATH? For Kerberos, libgssapiv2.so is required.
  6. Does /etc/myproxy-server.config or $GLOBUS_LOCATION/etc/myproxy-server.config contain sasl "sufficient" or sasl "required"?

When using SASL, you should see the following in the output of myproxy-logon -v -n:

  MyProxy v3.5 14 Mar 2006 PAM SASL KRB5
  client: begin SASL negotiation...
  $SASL_PATH isn't set. Using /usr/lib/sasl2.
  Server sent SASL mechs GSSAPI.
  Using SASL mechanism GSSAPI
  SASL negotiation finished.

In the myproxy-server -d output, you should see:

  myproxy-server v3.5 14 Mar 2006 PAM SASL KRB5
  sending MYPROXY_AUTHORIZATION_RESPONSE
  client chose SASL
  Server: begin SASL negotiation...
  $SASL_PATH isn't set. Using /usr/lib/sasl2.
  Generating SASL mechanism list...
  Sending list of 1 mechanism(s): GSSAPI
  S: R1NTQVBJ
  Waiting for client mechanism...
  C: ...
  Sending response...
  S: ...
  Waiting for client reply...
  C: ...
  Sending response...
  S: ...
  Waiting for client reply...
  C: ...
  SASL negotiation complete.
  SASL authentication succeeded for...
  retrieval authorization
  Sending OK response to client...
  retrieving proxy
  Delegating credentials...

Last modified 03/23/09.
©2000-2017 Board of Trustees of the University of Illinois.