From 579a49c3b0c3e7770003a855e81d2a24248e345e Mon Sep 17 00:00:00 2001 From: Thomas Reim Date: Sat, 13 Aug 2022 05:14:11 +0200 Subject: autofs-5.1.8 - support SCRAM for SASL binding In general, automount users that apply SASL binding for authentication are free to use any SASL mechanism supported by the underlying SASL library. automounter does not check the specified mechanism and transparently forwards the information to SASL or LDAP. Most directory services now support the more secure Salted Challenge Response Authentication Mechanismis (SCRAM) for SASL binding (RFC 5802). But automount user cannot request use of SCRAM, as automount does not read user and password credentials for SCRAM mechanisms. This patch enables SCRAM-SHA-1 and other SCRAM mechanisms (if supported by SASL library). In addition, autoconf now checks for and prints all SASL mechanisms that are supported by the underlying SASL library. This may be used in future versions of autofs when new more secure SCRAM mechanisms, e. g. SCRAM-PLUS mechanisms with channel binding will be introduced. Signed-off-by: Thomas Reim --- aclocal.m4 | 63 ++++++++++++++++++++++++++++++++++ configure.in | 1 + man/autofs_ldap_auth.conf.5.in | 2 +- modules/cyrus-sasl.c | 4 +-- modules/lookup_ldap.c | 5 ++- 5 files changed, 71 insertions(+), 4 deletions(-) diff --git a/aclocal.m4 b/aclocal.m4 index 9fc20bf..123d81e 100644 --- a/aclocal.m4 +++ b/aclocal.m4 @@ -368,6 +368,69 @@ AC_DEFUN( LIBS="$af_check_ldap_parse_page_control_save_libs" ]) + +dnl -------------------------------------------------------------------------- +dnl AF_GET_FUNC_SASL_SUPPORTED_MECHANISMS +dnl +dnl Check for supported sasl mechanisms +dnl -------------------------------------------------------------------------- +AC_DEFUN( + [AF_GET_FUNC_SASL_SUPPORTED_MECHANISMS], + [AC_CACHE_CHECK( + [for supported sasl mechanisms], + [af_cv_supported_sasl_mechanims], + [ af_cv_supported_sasl_mechanims="" + # save current libs + af_get_sasl_mechs_save_libs="$LIBS" + LIBS="$LIBSASL" + + AC_RUN_IFELSE( + [ AC_LANG_PROGRAM( + [[ #include + #include + #include + #include ]], + [[ char* mech_list; + const char* np; + const char** p; + size_t len = 1; + int result; + + result = sasl_client_init(NULL); + if (result != SASL_OK) + exit(1); + p = sasl_global_listmech(); + mech_list = malloc(1); + if (!mech_list) + exit(1); + mech_list[0] = '\0'; + for (np=*p; np != NULL; np=*(++p)) { + char* temp = realloc(mech_list, strlen(np) + strlen(mech_list) + len); + if(!temp) { + free(mech_list); + exit(1); + } + mech_list = temp; + if (len > 1) + strcat(mech_list, " "); + strcat(mech_list, np); + len = 2; + } + fputs(mech_list, stderr); + free(mech_list); ]] + ) ], + [af_cv_supported_sasl_mechanims=$(./conftest$EXEEXT 2>&1)], + [AC_MSG_RESULT(skipped)]) + + if [[[ "$af_cv_supported_sasl_mechanims" == *"SCRAM-SHA-"* ]]]; then + AC_DEFINE(WITH_SCRAM,1, + [Define if SCRAM-SHA-1 is supported by SASL]) + fi + + # restore libs + LIBS="$af_get_sasl_mechs_save_libs" ]) + ]) + dnl -------------------------------------------------------------------------- dnl AF_CHECK_FUNC_LDAP_CREATE_PAGE_CONTROL dnl diff --git a/configure.in b/configure.in index 45f3234..026c6c6 100644 --- a/configure.in +++ b/configure.in @@ -347,6 +347,7 @@ then if test "$HAVE_SASL" = "1"; then AC_DEFINE(WITH_SASL,1, [Define if using SASL authentication with the LDAP module]) + AF_GET_FUNC_SASL_SUPPORTED_MECHANISMS() fi fi diff --git a/man/autofs_ldap_auth.conf.5.in b/man/autofs_ldap_auth.conf.5.in index 2357566..0b3c706 100644 --- a/man/autofs_ldap_auth.conf.5.in +++ b/man/autofs_ldap_auth.conf.5.in @@ -60,7 +60,7 @@ authentication mechanism. If no suitable mechanism can be found, connections to the ldap server are made without authentication. Finally, if it is set to simple, then simple authentication will be used instead of SASL. .TP -\fBauthtype="GSSAPI"|"LOGIN"|"PLAIN"|"ANONYMOUS"|"DIGEST-MD5|EXTERNAL"\fP +\fBauthtype="GSSAPI"|"LOGIN"|"PLAIN"|"ANONYMOUS"|"DIGEST-MD5"|"SCRAM-SHA-1"|"EXTERNAL"\fP This attribute can be used to specify a preferred authentication mechanism. In normal operations, the automounter will attempt to authenticate to the ldap server using the list of supportedSASLmechanisms obtained from the diff --git a/modules/cyrus-sasl.c b/modules/cyrus-sasl.c index 888d07b..8eafd97 100644 --- a/modules/cyrus-sasl.c +++ b/modules/cyrus-sasl.c @@ -35,7 +35,7 @@ * * This file implements SASL authentication to an LDAP server for the * following mechanisms: - * GSSAPI, EXTERNAL, ANONYMOUS, PLAIN, DIGEST-MD5, KERBEROS_V5, LOGIN + * GSSAPI, EXTERNAL, ANONYMOUS, PLAIN, DIGEST-MD5, SCRAM-SHA-1, KERBEROS_V5, LOGIN * The mechanism to use is specified in an external file, * LDAP_AUTH_CONF_FILE. See the samples directory in the autofs * distribution for an example configuration file. @@ -1017,7 +1017,7 @@ sasl_choose_mech(unsigned logopt, LDAP *ldap, struct lookup_context *ctxt) * This routine is called if there is no configured * mechanism. As such, we can skip over any auth * mechanisms that require user credentials. These include - * PLAIN, LOGIN, and DIGEST-MD5. + * PLAIN, LOGIN, SCRAM-SHA-1, and DIGEST-MD5. */ if (authtype_requires_creds(mechanisms[i])) continue; diff --git a/modules/lookup_ldap.c b/modules/lookup_ldap.c index ce42601..258743e 100644 --- a/modules/lookup_ldap.c +++ b/modules/lookup_ldap.c @@ -1233,7 +1233,7 @@ int get_property(unsigned logopt, xmlNodePtr node, const char *prop, char **valu } /* - * For plain text, login and digest-md5 authentication types, we need + * For plain text, login, scram-sha-1 and digest-md5 authentication types, we need * user and password credentials. */ int authtype_requires_creds(const char *authtype) @@ -1241,6 +1241,9 @@ int authtype_requires_creds(const char *authtype) #ifdef WITH_SASL if (!strncmp(authtype, "PLAIN", strlen("PLAIN")) || !strncmp(authtype, "DIGEST-MD5", strlen("DIGEST-MD5")) || +#ifdef WITH_SCRAM + !strncmp(authtype, "SCRAM-SHA-", strlen("SCRAM-SHA-")) || +#endif !strncmp(authtype, "LOGIN", strlen("LOGIN"))) return 1; #endif -- 2.37.2