Nikola Milutinovic wrote:
This is a cross-post to Cyrus INFO list. The question raised here is whether GSS-API and *-MD5 SASL mechanisms secure the entire communication, not just the authentication phase, thus making SSL/TLS unnecessary.
Both GSSAPI (Kerberos 5) and DIGEST-MD5 have the ability to negotiate integrity and/or privacy (encryption) layers which are in effect for the entire connection.
Tarjei Huse wrote:
?? I didn't know , sorry. Please tell me more on how I can use GSSAPI instead of
tls to secure not only authentication but everything that happens over the
wire.
It really depends on the client tool. Not only does GSSAPI provide this, DIGEST-MD5
also.
Never heard of this. I was always under the impression that both GSS-API and *-MD5 methods secured only the authentication, not the entire channel data transfer.
Examples of such tools that I'm 100% aware of are ldapsearch and mutt when doing SASL
authentication.
With ldapsearch, for example: $ ldapsearch -h ldap.server | head -5 SASL/GSSAPI authentication started SASL username: [EMAIL PROTECTED] SASL SSF: 56 <---------- encrypted channel (only 56 bits though)
No. It simply means that authentication type is of SSF (Security Strength Factor) 56. I'm not sure if the SSF has anything to do with number of bits used as (some) private key length. Anyway, this is saying nothing about the rest of the communication, just the authentication part.
SASL installing layers (...)
With digest-md5: $ ldapsearch -h ldap.server -Y digest-md5 | head -5 SASL/DIGEST-MD5 authentication started Please enter your password: SASL username: andreas SASL SSF: 128 <---------------------
Again, just the auth phase is covered here.
I'm crossposting to the SASL mailing list in hopes someone can shed some light on the matter.
Nix. --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
-- Kenneth Murchison Oceana Matrix Ltd. Software Engineer 21 Princeton Place 716-662-8973 x26 Orchard Park, NY 14127 --PGP Public Key-- http://www.oceana.com/~ken/ksm.pgp --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
