userPassword Support not available, because it is not build with libssl-dev

The support for userPassword fields is only available with the libssl-dev package. I corrected the package with this patch:

--- debian/control.orig 2006-01-10 21:34:44.000000000 +0100
+++ debian/control 2006-01-10 21:34:54.000000000 +0100
@@ -2,7 +2,7 @@
 Section: net
 Priority: optional
 Maintainer: Guido Trotter <email address hidden>
-Build-Depends: debhelper (>= 4.0.0), dpatch, libgtk2.0-dev, libldap2-dev, libkrb5-dev, libxml2-dev
+Build-Depends: debhelper (>= 4.0.0), dpatch, libgtk2.0-dev, libldap2-dev, libkrb5-dev, libxml2-dev, libssl-dev
 Standards-Version: 3.6.2.1

 Package: gq

After recompiling the package, the userPassword support is available (drop down menu with encryption methods). This package is available on: http://apt-get.linuxhacker.at/ubuntu/dists/breezy/universe/pool/gq_1.0beta1-4hs1_i386.changes

It would be nice, if the next Ubuntu version would contain the userPassword support.

Thanks
Herbert Straub

I think the remote bug watch to debbugs #329312 hits another problem. I try to build gq with --enable-sasl and the dependency to libsasl2-dev, but the drop down menu for password encryption is not available.

I have two screenshots on my homepage to show the effect, if the package is build with openssl-dev is available and not available.

I think, the configure.in contains the relevant location:
dnl We require libcrypto for the dt_password DISPLAYTYPE handler ... peter
dnl If we do not find it, we do not enable DISPLAYTYPE_PASSWORD

AC_CHECK_LIB(crypto, OpenSSL_add_all_digests)

And the dt_password.c contains the code.

Thanks
Herbert Straub

Yes an i forgot the URI for the screenshots:

https://info.linuxhacker.at/wiki/BreezyGQAndUserPasswrd

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Guido,
I'm working on a bug that was reported in the Ubuntu bug tracker[1]
regarding encryption of userPassword entries. I have also been using a
local package of gq that is built with libsasl2. I have been using my
package of gq to do GSSAPI binds with my ldap server. It also appears
that the userPassword encryption works correctly. I looked through the
BTS and noticed that you have disabled these features on purpose, but
I'm not clear on the reason why. Are there problems with these features?

A related issue is that of linking against OpenSSL. It seems the
authors of gq have allowed an exception to the GPL to get around the
OpenSSL license issues described here [2]. I think if the features that
OpenSSL enables work correctly, the OpenSSL attribution statement needs
to be added to the copyright file.

What are your thoughts on making these changes to the gq package?

Ben

[1] https://launchpad.net/distros/ubuntu/+source/gq/+bug/6629
[2] http://www.gnome.org/~markmc/openssl-and-the-gpl.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFD0cAr14/jLHK8klURAjsYAKCyV3tIgzRRfwxyASH+NiODvnR+7ACff2oi
7F07tYyBDyp/65iVcY5G3w8=
=owjB
-----END PGP SIGNATURE-----

Subject: Re: SASL and OpenSSL with gq
Date: Sat, 21 Jan 2006 12:53:47 +0100
From: Guido Trotter <email address hidden>
To: Benjamin Montgomery <email address hidden>
References: <email address hidden>

On Fri, Jan 20, 2006 at 11:01:31PM -0600, Benjamin Montgomery wrote:

Hi,

> Guido,
> I'm working on a bug that was reported in the Ubuntu bug tracker[1]
> regarding encryption of userPassword entries. I have also been using a
> local package of gq that is built with libsasl2. I have been using my
> package of gq to do GSSAPI binds with my ldap server. It also appears
> that the userPassword encryption works correctly. I looked through the
> BTS and noticed that you have disabled these features on purpose, but
> I'm not clear on the reason why. Are there problems with these features?
>

Yeah, upstream (when he was still active) esplicitely said they were
completely
broken and unsupported... So I preferred to disable them!

> A related issue is that of linking against OpenSSL. It seems the
> authors of gq have allowed an exception to the GPL to get around the
> OpenSSL license issues described here [2]. I think if the features that
> OpenSSL enables work correctly, the OpenSSL attribution statement needs
> to be added to the copyright file.
>

That can surely be done! No problem!

Ciao,

Guido

Guido Trotter wrote:
>>I'm working on a bug that was reported in the Ubuntu bug tracker[1]
>>regarding encryption of userPassword entries. I have also been using a
>>local package of gq that is built with libsasl2. I have been using my
>>package of gq to do GSSAPI binds with my ldap server. It also appears
>>that the userPassword encryption works correctly. I looked through the
>>BTS and noticed that you have disabled these features on purpose, but
>>I'm not clear on the reason why. Are there problems with these features?
>
> Yeah, upstream (when he was still active) esplicitely said they were completely
> broken and unsupported... So I preferred to disable them!

Just to make sure, you are refering to both the OpenSSL and SASL
features? Did upstream give examples of what was broken?

Have you done any testing with the userPassword encryption turned on?
Do you know if it produces the correct output? I can verify that SASL
GSSAPI binds work correctly on my network.

>>A related issue is that of linking against OpenSSL. It seems the
>>authors of gq have allowed an exception to the GPL to get around the
>>OpenSSL license issues described here [2]. I think if the features that
>>OpenSSL enables work correctly, the OpenSSL attribution statement needs
>>to be added to the copyright file.
>
> That can surely be done! No problem!

This isn't an issue if the OpenSSL code in gq is broken and not enabled.

Herbert, can you do testing with the userPassword encryption and see if it generates the correct output? I'm not sure how this feature is supposed to work and I don't really have a good way to test. If you need a gq package with this feature enabled, let me know and I'll make it available to you.

Guido Trotter wrote:
> I haven't tried because I use normal binding, on an SSL or TSL encrypted
> connection, which is perfectly fine security wise, and even better than
a SASL
> bind, from my point of view, as it protects the whole connection and not
only
> the password.

I'm using ldaps with a GSSAPI SASL bind. The passwords are stored in
kerberos and SASL uses kerberos tickets to grant access. This works
without problems. I haven't tried the other SASL methods. This is why
I was wondering what parts are broken, because SASL binds seem to work
correctly. My LDAP server is configured to not allow access unless the
request is authenticated with an appropriate kerberos ticket. I mostly
have it set up to provide a LDAP+Kerberos single sign on capability.

> You say the sasl works only with unencrypted passwords... are you sure
it's not
> *supposed* to behave that way? Thinking about it: if your password is
> transmitted over the wire then the LDAP server on the other end of the
> connection can use whichever hashing tecnique it has used to encrypt the
> password to verify its correctnes... On the other hand if the password
is used
> as a shared secret to provide some kind of challenge response
authentication how
> can the server actually do its work without *knowing* the secret himself
(rather
> than some one-way-encrypted version of it). It seems to be the same
tradeoff
> there is between PPP CHAP and PAP authentication.
>
> Anyway just to be sure it's not a gq issue: why don't you ask the user who
> complained to try binding to the same account with the command-line
ldapsearch
> and see if that works or not? If it doesn't it's probably not gq's fault!

The problem is not with binding. We are looking at the userPassword
field in an LDAP record. With the correct build-deps gq can handle
hashing passwords before they are sent to the server. You can tell if
this feature is enabled if there is a drop-down menu next to the
userPassword text entry box that allows you to pick a hash.

I had to add libsasl2-dev and libssl-dev to the build-deps in order to
enable the userPassword hash functionality and the ability to do a SASL
bind.

I've asked the orginal bug reporter to do some testing on the
userPassword hash functions and update the ubuntu bug report if gq
performs the hashes correctly.

At a minimum I think it makes sense to add libssl-dev to the build-deps
and update the copyright file. I can say that GSSAPI SASL binds work,
but I don't have the capability to check other types of SASL binds right
now. It probably is best to leave that feature disabled. Maybe we
could add to the README.Debian that SASL is untested and how to enable
it by building a local package?

Ben

--
Benjamin Montgomery
<email address hidden>

Hallo Benjamin,

yes i'm sure, that the userPassword works with the encryption functionality. My test configuration: the ldap server with simple bind and a uw-imapd server with pam_ldap authentication and the accounts are stored in the ldap server. If i'm setup the password from the testaccount with the gq: i can log in via Thunderbird. And i'm trying to setup another password with gq and a encryption methond (sha, crypt, md5) and i have to use this new password in Thunderbird to login.

I'm sure, that this construct works long time ago, because i'm setup this environment one year ago under Suse Linux with Ldap and gq. Under Suse, the gq displays the encryption function on userPassword since one year(i think). I'm wondering why this encryption function is not available in Debian/Ubuntu. Now i'm pretty sure, that this is only the failing openssl-dev library on compile time, because i cannot see any other patches in the Suse package. I'm don't using GSSAPI only simple with TLS.

Second i try to setup the userPassword for the administrator accounts (example for bind dn: cn=administrator,dc=foo,dc=bar) and using the encryption method: sha and i can successfully login with the ldapsearch command.

I'm sure, this works and helps the administrator to working with encrypted userPassword fields with gq.

Thanks
Herbert Straub

I build gq 1.0.0-2ubuntu1hs1 for dapper with selectable encryption mechanism for userPassword -> add libssl-dev to BuildDepends. Works fine on Dapper.

http://apt-get.linuxhacker.at/ubuntu/dists/dapper/universe/pool/gq_1.0.0-2ubuntu1hs1_i386.changes

The 1.0.0-3ubuntu1 version for edgy will contains the build dependency libssl-dev. Next time, i will test this version on edgy.

Thanks
Herbert Straub

As Debian (and thus Ubuntu) are afraid of linking against libssl-dev, I just added support for hashing with libgcrypt (instead of libcrypto) in GQ trunk.

Unfortunately I'm quite busy right now, and I only added MD5 for the libgcrypt build.

It would be very great if someone went ahead to implement the missing hash mechanisms with libgcrypt on GQ trunk. Please contact me if you're intested in getting this complete for GQ 1.2 (targeted for mid-september).

Sven,
Can you please post a patch with your changes to this bug?

Thanks,
Ben

I can't because, because GQ 1.1 has had a lot of incompatible changes to GQ 1.0.0, so backporting isn't trivial.

BTW, and I don't think it makes sense to add extra workload to backport a feature that will be released next month.

Sven Herzberg wrote:

> I can't because, because GQ 1.1 has had a lot of incompatible changes to
> GQ 1.0.0, so backporting isn't trivial.

OK, I didn't realize that upstream development had restarted.

> BTW, and I don't think it makes sense to add extra workload to backport
> a feature that will be released next month.

I agree! Once the new version is released we will have to update the
package in Ubuntu edgy via an upstream version freeze exception request.

Ben

--
Benjamin Montgomery <email address hidden>

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

This is fixed with the lastest release of GQ (1.2.0), please rebuild this one (and add libgcrypt-dev to the build-depends to automatically detect it).

Will we get the updated 1.2.0 for edgy?

This bug can be closed, because it is fixed in edgy. I installed gq 1.0.0-3ubuntu1 and now i can select the hash in the userpassword field. The debian changelog:

gq (1.0.0-3) unstable; urgency=low
  * Build-Depend on libssl-dev (closes: #242532)