Tarjei Huse wrote:
?? I didn't know , sorry. Please tell me more on how I can use GSSAPI instead of tls to secure not only authentication but everything that happens over the wire.
It really depends on the client tool. Not only does GSSAPI provide this, DIGEST-MD5 also.
Never heard of this. I was always under the impression that both GSS-API and *-MD5 methods secured only the authentication, not the entire channel data transfer.
Examples of such tools that I'm 100% aware of are ldapsearch and mutt when doing SASL authentication.
With ldapsearch, for example: $ ldapsearch -h ldap.server | head -5 SASL/GSSAPI authentication started SASL username: [EMAIL PROTECTED] SASL SSF: 56 <---------- encrypted channel (only 56 bits though)
No. It simply means that authentication type is of SSF (Security Strength Factor) 56. I'm not sure if the SSF has anything to do with number of bits used as (some) private key length. Anyway, this is saying nothing about the rest of the communication, just the authentication part.
SASL installing layers (...)
With digest-md5: $ ldapsearch -h ldap.server -Y digest-md5 | head -5 SASL/DIGEST-MD5 authentication started Please enter your password: SASL username: andreas SASL SSF: 128 <---------------------
Again, just the auth phase is covered here.
I'm crossposting to the SASL mailing list in hopes someone can shed some light on the matter.
Nix. --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
