Debian pkg-cyrus-sasl2 Logo

Cyrus SASL Packages for Debian

SASL is the Simple Authentication and Security Layer, a method for adding authentication support to connection-based protocols. This page contains information about the Debian packages for Cyrus SASL, which is an implementation of SASL by Carnegie Mellon University.

User Information

The Cyrus SASL packaging team has found that users often have difficulties with setting up Cyrus SASL and their favourite application (Postfix, OpenLDAP, Exim, etc.). One major reason is the lack of consistent documentation - there is lots of it, but the quality is often poor. We are working on improving the documentation, and we welcome any documentation contributions.

We currently have the following documentation outline:

  1. How Cyrus SASL basically works; its architecture (discussion of mechanisms, methods, etc.)
  2. How Cyrus SASL must be configured to get XYZ; a collection of "recipes".
  3. How other applications must be configured to have Cyrus SASL work. For example, how must e.g. OpenLDAP be configured to have the ldapdb auxprop plugin work for other apps? Some items in this category belong to other packages, but we decide on a case-by-base basis.

Work in Progress

PostfixAndSASL has information about getting Postfix SMTP AUTH to work with SASL.

Mini-HOWTOs

We're collecting minimal documents on how to set up Cyrus SASL for certain configurations. Below is a list of the plugins that ship with Cyrus SASL. Fill in minimal information about what the purpose of the plugin is, how to set it up and what it conflicts with.

ANONYMOUS

CRAM-MD5

DIGEST-MD5

GSSAPI

There are two GSSAPI implementations available in Debian: the MIT implementation and the Heimdal implementation. We will not go into the details of which one to choose, search elsewhere for that information. We support both.

MIT Kerberos

To install and set up a test instance of the MIT implementation, do this:

apt-get install krb5-admin-server krb5-kdc

Set your realm to something reasonable, like MYREALM or EXAMPLE.COM. Edit /etc/krb5.conf and make it look similar to this:

[libdefaults]

[realms]

[domain_realm]

Note that the IP addresses above really need to be something else than 127.0.0.1, or things won't work. You can use a NAT IP or whatever when testing, but don't use 127.0.0.1.

Now you can create a principal (like an "account" in Kerberos). Run sudo kadmin.local and give the command addprinc <your login>. Then choose a password for yourself. Quit by the command quit. Now, as the normal user of the same login that you just created a principal for, run kinit and give your Kerberos password. It should say nothing, but if you run klist, you will see that you have obtained a Kerberos ticket. You can destroy it manually using kdestroy -- but it will expire automatically after some time.

Heimdal Kerberos

LDAPDB

LOGIN

NTLM

OTP

One-Time Passwords (OTP) is, roughly speaking, a method where the user is presented with a challenge and has to provide a response. The response is calculated using a program. Thus, a new key is generated for each session. This means that even if someone would obtain the session key, it's already useless because next time, a new key will be generated.

PASSDSS

PLAIN

SASLDB

SQL

SRP

Developer Information

You can checkout the code with this command:

git clone git://anonscm.debian.org/pkg-cyrus-sasl2/cyrus-sasl2.git

The branches currently in the repository are:

Main development was recently shifted with the upload of the first 2.1.26 package to unstable following several months of 2.1.26 uploads to experimental. The master branch is where development for unstable is taking place, while the master-wheezy branch is where any changes to the packages in stable would take place.

There are several open bugs related memory leaks, segmentation faults, and other difficult to reproduce behaviors. Please check the BTS to see if you can help with one of these bugs.