|
MyProxy
> Docs
> Admin Guide
> Authentication via SASL
SASL
stands for Simple Authentication and Security Layer.
Via SASL, MyProxy can support a variety of standard authentication
protocols (like Kerberos).
MyProxy SASL support has been tested with the GSSAPI (Kerberos) and
PLAIN (password) mechanisms as documented below.
Cyrus SASL
supports additional authentication mechanisms.
If you experiment with other mechanisms, please report your
experiences on the
myproxy-users list.
MyProxy also supports external authentication via
PAM.
For MyProxy SASL authentication to succeed,
the authenticated SASL username must match
the requested MyProxy username.
Contents
MyProxy can be configured to act as a Certificate Authority
to issue credentials to users authenticated via SASL.
For more information, please see the
MyProxy CA documentation.
To use SASL for authentication to retrieve credentials stored in
the MyProxy repository, it is simplest to store
unencrypted credentials, via the
--no-passphrase argument (equivalent to -n )
to myproxy-init or
myproxy-admin-adduser.
Otherwise, users will need to provide the credential passphrase to
decrypt stored credentials in addition to authenticating via SASL.
- Install a recent Cyrus SASL release. Linux distributions
typically include Cyrus SASL packages configured appropriately
for the distribution. Using the packages provided by your
distribution is recommend. Otherwise, you can obtain the Cyrus
SASL library directly from
CMU.
Installing the SASL plugin libraries in /usr/lib/sasl2 is
recommended. Make sure $SASL_PATH is unset if using
/usr/lib/sasl2 and set to the correct plugin library directory
otherwise. Beware that globus-user-env.* sets $SASL_PATH.
- For Kerberos support, install the Kerberos header files and shared
libraries, including the Kerberos GSSAPI library (libgssapi_krb5.so).
On RedHat Linux, they are provided by the krb5-devel RPM.
- Install the Globus
Toolkit.
The best method is to follow the instructions for
building
and installing only MyProxy using the Globus Toolkit.
Any version of the Globus Toolkit compatible with MyProxy
(currently GT 2.4 or later) should work. An installation that
does not include the Globus MDS is preferred, as the Globus MDS
uses an older version of the SASL libraries that can conflict with
the MyProxy SASL build.
Be sure to obtain X.509 user and host credentials before proceeding.
- Download the latest MyProxy release and run
gpt-build CONFIGOPTS_GPTMACRO="--with-sasl2=/usr
--with-kerberos5=/usr/kerberos" -force -verbose gcc32dbg myproxy-*.tar.gz
changing the flavor and sasl2/kerberos5 install paths as appropriate.
Include --with-kerberos5 in the above command only if you want to
support Kerberos authentication.
Also, please don't use a threaded (thr) flavor.
- You can verify that SASL support was compiled in to MyProxy by
looking for "SASL" in the version string:
$ myproxy-server -V
myproxy-server version MYPROXYv2 (v3.5 14 Mar 2006 PAM SASL KRB5)
$ myproxy-logon -V
myproxy-logon version MYPROXYv2 (v3.5 14 Mar 2006 PAM SASL KRB5)
SASL must be supported by both the client and the server to be used
successfully.
By default, SASL support is disabled in MyProxy. To enable it,
add a sasl policy statement in the
myproxy-server.config
(which is usually in /etc or
$GLOBUS_LOCATION/etc ):
sasl "disabled"
-
SASL authentication isn't used. (default)
sasl "sufficient"
-
SASL authentication is sufficient for retrieving credentials,
but other authentication methods (such as
PAM or credential passphrase) may be used
instead.
sasl "required"
-
SASL authentication is required for retrieving credentials.
- For Kerberos authentication:
- Create /usr/lib/sasl2/myproxy.conf (or
$SASL_PATH/myproxy.conf) containing:
mech_list: gssapi
and verify that /usr/lib/sasl2/libgssapiv2.so (or
$SASL_PATH/libgssapiv2.so) is installed.
- Add a myproxy/host service key to your Kerberos keytab file
using kadmin. Use klist to verify the service key has been
successfully installed. For example:
pkilab2:~# klist -k /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
2 host/pkilab2.ncsa.uiuc.edu@NCSA.EDU
2 myproxy/pkilab2.ncsa.uiuc.edu@NCSA.EDU
- For PAM authentication (OTP, Radius, LDAP, etc.):
- Create /usr/lib/sasl2/myproxy.conf (or
$SASL_PATH/myproxy.conf) containing:
mech_list: plain
pwcheck_method: saslauthd
The plain mechanism implements simple username / password
PAM authentication.
It does not implement challenge / response PAM authentication.
- Then run
saslauthd -a pam
Alternatively, for RedHat Linux, you just need to
set MECH=pam in /init.d/saslauthd and run
/sbin/service saslauthd start
- Then, create /etc/pam.d/myproxy for your local preferred mechanisms.
For example, when using PAM Radius authentication to an OTP server,
you may have a configuration like the following:
#%PAM-1.0
auth required pam_radius_auth.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
Your PAM authentication module should come with documentation on
how to configure PAM system services. The MyProxy PAM
configuration should be the same as for other system services
like sshd.
- Does the output of
myproxy-server -V and myproxy-logon -V
include "SASL"?
- Is $SASL_PATH set?
(Check both client and server.)
It must not be set to $GLOBUS_LOCATION/lib/sasl,
as that's a SASLv1 directory, not SASLv2.
If not set, MyProxy will use the default path (/usr/lib/sasl2).
The value of $SASL_PATH
is included in the myproxy-logon verbose output and the
myproxy-server debug output.
- Is /usr/lib/sasl2/myproxy.conf or
$SASL_PATH/myproxy.conf configured?
- For Kerberos, does your keytab file include a myproxy/host service
key?
- Is the necessary SASL mechanism library installed in
/usr/lib/sasl2 or $SASL_PATH?
For Kerberos, libgssapiv2.so is required.
- Does /etc/myproxy-server.config or
$GLOBUS_LOCATION/etc/myproxy-server.config contain
sasl "sufficient" or sasl "required"?
When using SASL, you should see the following in the output of
myproxy-logon -v -n:
MyProxy v3.5 14 Mar 2006 PAM SASL KRB5
client: begin SASL negotiation...
$SASL_PATH isn't set. Using /usr/lib/sasl2.
Server sent SASL mechs GSSAPI.
Using SASL mechanism GSSAPI
SASL negotiation finished.
In the myproxy-server -d output, you should see:
myproxy-server v3.5 14 Mar 2006 PAM SASL KRB5
sending MYPROXY_AUTHORIZATION_RESPONSE
client chose SASL
Server: begin SASL negotiation...
$SASL_PATH isn't set. Using /usr/lib/sasl2.
Generating SASL mechanism list...
Sending list of 1 mechanism(s): GSSAPI
S: R1NTQVBJ
Waiting for client mechanism...
C: ...
Sending response...
S: ...
Waiting for client reply...
C: ...
Sending response...
S: ...
Waiting for client reply...
C: ...
SASL negotiation complete.
SASL authentication succeeded for...
retrieval authorization
Sending OK response to client...
retrieving proxy
Delegating credentials...
Last modified
03/23/09.
©2000-2019 Board of Trustees of the University of Illinois.
|