help-gsasl
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pass hex salted password on gsasl command line

From: Simon Josefsson
Subject: Re: pass hex salted password on gsasl command line
Date: Tue, 02 Jan 2024 03:40:18 +0100
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) 
Manvendra Bhangui <mbhangui@gmail.com> writes:

> Hi,
>
> I have been using the gsasl utility for most of my testing with SCRAM
> passwords. During testing I noticed that there isn't a way to pass the hex
> salted password. I did the following change to src/callback.c and now I can
> use hex salted passwords
>
> diff -Naur gsasl-2.2.0.orig/src/callbacks.c gsasl-2.2.0/src/callbacks.c
> --- gsasl-2.2.0.orig/src/callbacks.c    2022-08-20 19:23:21.000000000 +0530
> +++ gsasl-2.2.0/src/callbacks.c 2022-11-02 00:04:51.079193609 +0530
> @@ -199,6 +199,10 @@
>        break;
>
>      case GSASL_SCRAM_SALTED_PASSWORD:
> +      if (args_info.password_arg == NULL)
> +   args_info.password_arg = readutf8pass ("Enter Hex salted password: ");
> +
> +      rc = gsasl_property_set (sctx, GSASL_SCRAM_SALTED_PASSWORD,
> args_info.password_arg);
>        break;

Hi.  Thanks for the report and the idea.  That patch is a bit simple.
It reads a hex string and store that in the password variable, which
means any later calls for GSASL_PASSWORD will get the hex encoded data,
and it will be quite confusing.

I added a new parameter --scram-salted-password instead that does what I
think you want.  When I tried to construct an example scenario on how to
use that parameter for this e-mail, I realized that the gsasl SCRAM
server code did not support authenticating based on salted password, so
it was a bit challenging to use gsasl against itself in any useful way.
I implemented that:

https://git.savannah.gnu.org/cgit/gsasl.git/commit/?id=c46ec1850991b0ab935f8859b542d609c6cfc67a

Below is a example walk through of how to use it; I made it a bit more
readable and published it on the wiki:

https://gitlab.com/gsasl/gsasl/-/wikis/GNU-SASL-SCRAM-command-line-walk-through-example

/Simon

Generate parameters:

jas@kaka:~$ gsasl --mkpasswd --password password --mechanism SCRAM-SHA-256  
--verbose
{SCRAM-SHA-256}65536,fBq51uMihrs2adiq,woEP0ohXLuUzEYHmpYtaVtQiUUHTOToVJxMafwn594s=,cIhsPYUyOsQ7yUp1HgTqke3MJ+1wCWk0HBp4+uJUIbg=,0dfb3ba9fe5eb2d7fcc522150180e8783cc92b7244464bed47ded8aa4590c4e7

Start server:

jas@kaka:~$ gsasl --server --mechanism SCRAM-SHA-256 --iteration-count=65536 
--salt fBq51uMihrs2adiq --scram-salted-password 
0dfb3ba9fe5eb2d7fcc522150180e8783cc92b7244464bed47ded8aa4590c4e7
Using mechanism:
SCRAM-SHA-256
Output from server:

Enter base64 authentication data from client (press RET if none):

In another terminal start client:

jas@kaka:~$ gsasl --client --mechanism SCRAM-SHA-256 --no-cb 
--scram-salted-password 
0dfb3ba9fe5eb2d7fcc522150180e8783cc92b7244464bed47ded8aa4590c4e7
Using mechanism:
SCRAM-SHA-256
Using system username `jas' as authentication identity.
Output from client:
biwsbj1qYXMscj1zSDlndGpER2d5enRqT0w0dU1DcFM0T0M=
Enter base64 authentication data from server (press RET if none):

Now cut'n'paste the "biws..." string from the client to the server:

biwsbj1qYXMscj1zSDlndGpER2d5enRqT0w0dU1DcFM0T0M=
Output from server:
cj1zSDlndGpER2d5enRqT0w0dU1DcFM0T0NXQW9KempPQUpUQkR6YzAxcmt1b0I4MlIscz1mQnE1MXVNaWhyczJhZGlxLGk9NjU1MzY=
Enter base64 authentication data from client (press RET if none):

Now cut'n'paste the "cj1zSD..." string from the server to the client:

cj1zSDlndGpER2d5enRqT0w0dU1DcFM0T0NXQW9KempPQUpUQkR6YzAxcmt1b0I4MlIscz1mQnE1MXVNaWhyczJhZGlxLGk9NjU1MzY=
Output from client:
Yz1iaXdzLHI9c0g5Z3RqREdneXp0ak9MNHVNQ3BTNE9DV0FvSnpqT0FKVEJEemMwMXJrdW9CODJSLHA9bE5aOFo3dWU3VXVjWGdtYi9ERlFJSjlqWWZFc3NHT25lV1AzVHR2VG1Gdz0=
Enter base64 authentication data from server (press RET if none):

Take the client's output and give it to the server:

Yz1iaXdzLHI9c0g5Z3RqREdneXp0ak9MNHVNQ3BTNE9DV0FvSnpqT0FKVEJEemMwMXJrdW9CODJSLHA9bE5aOFo3dWU3VXVjWGdtYi9ERlFJSjlqWWZFc3NHT25lV1AzVHR2VG1Gdz0=
warning: mechanism requested unsupported property `23'
Output from server:
dj1XMWZ4akpab1JRWm4yWFFiTUl2NVpPYmd2NUhkQ2NQVE02UVBKT3JMYjRzPQ==
Enter base64 authentication data from client (press RET if none):

Take the server's output and give it to the client:

dj1XMWZ4akpab1JRWm4yWFFiTUl2NVpPYmd2NUhkQ2NQVE02UVBKT3JMYjRzPQ==
Output from client:

Enter base64 authentication data from server (press RET if none):

What it is trying to say here is that the output is the empty string, so
just press enter on the server to finish the authentication:

Server authentication finished (client trusted)...
Enter application data (EOF to finish):

The server is now finished, and you may press ^D to quit.  In the
client, press enter to let it finish too:

Client authentication finished (server trusted)...
Enter application data (EOF to finish):

Attachment: signature.asc
Description: PGP signature

reply via email to
[Prev in Thread] Current Thread [Next in Thread]