Running the Cyrus SASL Sample Server and Client

Posted on by

When I start working on a new project, I usually start by writing a “Hello, World” program and going step by step from there. When trying to learn Cyrus SASL, I found I needed to something comparable, that showed both the client and server side of the connection. While the end state of using SASL should be communication that is both authenticated and encrypted, to start, I just wanted to see the protocol in action, using clear text and no authentication.

UPDATE: Note that the client and server code are provided with the cyrus-sasl-devel RPM on a Fedora system and comparable pacakges elsewhere.

I started by running the server:

/usr/bin/sasl2-sample-server  -h localhost -p 1789 -m ANONYMOUS

Why did I chose 1789? It is the port for the Hello server:

$ getent services hello
hello                 1789/tcp

The -m flag has the value of ANONYMOUS, saying no Authentication is required.

Starting up the server showed:

trying 2, 1, 6
trying 10, 1, 6
bind: Address already in use

This last line looks like a failure, but as we will see, it is not. I ignored it to start.

To test a connection to it, I ran the following in a second terminal window.

sasl2-sample-client -p 1789  -m ANONYMOUS localhost

Here is what that session looked like:

$ sasl2-sample-client -p 1789  -m ANONYMOUS localhost
receiving capability list... recv: {9}
ANONYMOUS
ANONYMOUS
please enter an authorization id: ADMIYO
using mechanism ANONYMOUS
send: {9}
ANONYMOUS
send: {1}
Y
send: {21}
ADMIYO@ayoung541.test
waiting for server reply...
successful authentication
closing connection

Note that I was prompted for the authorization id and I entered the string’ADMIYO.’ I intentionally chose something that I would not expect to be a standard part of the output so I can see the effect I am having. Here is the server side of the communication as logged.

accepted new connection
forcing use of mechanism ANONYMOUS
send: {9}
ANONYMOUS
waiting for client mechanism...
recv: {9}
ANONYMOUS
recv: {1}
Y
recv: {21}
ADMIYO@ayoung541.test
negotiation complete
successful authentication 'anonymous'
closing connection

Let’s take a look on the (virtual) wire. Running tcpdump like this:

 sudo  tcpdump -i lo port 1789

For the first part of the interaction (prior to typing in the string ADMIYO) The output is;

12:02:42.201997 IP6 localhost.53196 > localhost.hello: Flags [S], seq 2530750333, win 43690, options [mss 65476,sackOK,TS val 1486702922 ecr 0,nop,wscale 7], length 0
12:02:42.202012 IP6 localhost.hello > localhost.53196: Flags [R.], seq 0, ack 2530750334, win 0, length 0
12:02:42.202053 IP localhost.50258 > localhost.hello: Flags [S], seq 2408359983, win 43690, options [mss 65495,sackOK,TS val 1486702922 ecr 0,nop,wscale 7], length 0
12:02:42.202067 IP localhost.hello > localhost.50258: Flags [S.], seq 11931919, ack 2408359984, win 43690, options [mss 65495,sackOK,TS val 1486702922 ecr 1486702922,nop,wscale 7], length 0

Once I type in ADMIYO and hit return in the client I see:

12:04:51.107447 IP localhost.50258 > localhost.hello: Flags [P.], seq 1:15, ack 15, win 342, options [nop,nop,TS val 1486831827 ecr 1486702922], length 14
12:04:51.107530 IP localhost.hello > localhost.50258: Flags [.], ack 15, win 342, options [nop,nop,TS val 1486831827 ecr 1486831827], length 0
12:04:51.107551 IP localhost.50258 > localhost.hello: Flags [P.], seq 15:21, ack 15, win 342, options [nop,nop,TS val 1486831827 ecr 1486831827], length 6
12:04:51.107563 IP localhost.hello > localhost.50258: Flags [.], ack 21, win 342, options [nop,nop,TS val 1486831827 ecr 1486831827], length 0

Let’s see if the server can correctly translate the port for the “hello” service.

Running 

$ /usr/bin/sasl2-sample-server  -h localhost -s hello  -m ANONYMOUS

TCP dump shows the following output:

12:06:57.628798 IP6 localhost.53252 > localhost.hello: Flags [S], seq 2637706072, win 43690, options [mss 65476,sackOK,TS val 1486958349 ecr 0,nop,wscale 7], length 0
12:06:57.628815 IP6 localhost.hello > localhost.53252: Flags [R.], seq 0, ack 2637706073, win 0, length 0
12:06:57.628859 IP localhost.50314 > localhost.hello: Flags [S], seq 1432008138, win 43690, options [mss 65495,sackOK,TS val 1486958349 ecr 0,nop,wscale 7], length 0
12:06:57.628875 IP localhost.hello > localhost.50314: Flags [R.], seq 0, ack 1432008139, win 0, length 0
12:07:21.065692 IP6 localhost.53262 > localhost.hello: Flags [S], seq 1562244294, win 43690, options [mss 65476,sackOK,TS val 1486981785 ecr 0,nop,wscale 7], length 0
12:07:21.065712 IP6 localhost.hello > localhost.53262: Flags [R.], seq 0, ack 1562244295, win 0, length 0
12:07:21.065775 IP localhost.50324 > localhost.hello: Flags [S], seq 4166967599, win 43690, options [mss 65495,sackOK,TS val 1486981786 ecr 0,nop,wscale 7], length 0
12:07:21.065791 IP localhost.hello > localhost.50324: Flags [R.], seq 0, ack 4166967600, win 0, length 0

Note that I had to change how I called the client to:

$ sasl2-sample-client -s hello  -m ANONYMOUS localhost

Why is that? My suspicion is that the Service name is part of the SASL handshake. Let’s see if we can find out. To start, let’s tell tcpdump to dump the contents of the packets out in hex and ascii:

sudo  tcpdump -XX -i lo port 1789

Running both the server and the client with the explicit port assigned I get the following dump:


12:12:08.992969 IP6 localhost.53316 > localhost.hello: Flags [S], seq 2611436863, win 43690, options [mss 65476,sackOK,TS val 1487269713 ecr 0,nop,wscale 7], length 0
	0x0000:  0000 0000 0000 0000 0000 0000 86dd 6000  ..............`.
	0x0010:  8995 0028 0640 0000 0000 0000 0000 0000  ...(.@..........
	0x0020:  0000 0000 0001 0000 0000 0000 0000 0000  ................
	0x0030:  0000 0000 0001 d044 06fd 9ba7 5d3f 0000  .......D....]?..
	0x0040:  0000 a002 aaaa 0030 0000 0204 ffc4 0402  .......0........
	0x0050:  080a 58a5 ef51 0000 0000 0103 0307       ..X..Q........
12:12:08.992986 IP6 localhost.hello > localhost.53316: Flags [R.], seq 0, ack 2611436864, win 0, length 0
	0x0000:  0000 0000 0000 0000 0000 0000 86dd 6007  ..............`.
	0x0010:  bb57 0014 0640 0000 0000 0000 0000 0000  .W...@..........
	0x0020:  0000 0000 0001 0000 0000 0000 0000 0000  ................
	0x0030:  0000 0000 0001 06fd d044 0000 0000 9ba7  .........D......
	0x0040:  5d40 5014 0000 001c 0000                 ]@P.......
12:12:08.993035 IP localhost.50378 > localhost.hello: Flags [S], seq 613533991, win 43690, options [mss 65495,sackOK,TS val 1487269713 ecr 0,nop,wscale 7], length 0
	0x0000:  0000 0000 0000 0000 0000 0000 0800 4500  ..............E.
	0x0010:  003c 2676 4000 4006 1644 7f00 0001 7f00  .<&v@.@..D......
	0x0020:  0001 c4ca 06fd 2491 c927 0000 0000 a002  ......$..'......
	0x0030:  aaaa fe30 0000 0204 ffd7 0402 080a 58a5  ...0..........X.
	0x0040:  ef51 0000 0000 0103 0307                 .Q........
12:12:08.993053 IP localhost.hello > localhost.50378: Flags [S.], seq 561556928, ack 613533992, win 43690, options [mss 65495,sackOK,TS val 1487269713 ecr 1487269713,nop,wscale 7], length 0
	0x0000:  0000 0000 0000 0000 0000 0000 0800 4500  ..............E.
	0x0010:  003c 0000 4000 4006 3cba 7f00 0001 7f00  .<..@.@.<.......
	0x0020:  0001 06fd c4ca 2178 adc0 2491 c928 a012  ......!x..$..(..
	0x0030:  aaaa fe30 0000 0204 ffd7 0402 080a 58a5  ...0..........X.
	0x0040:  ef51 58a5 ef51 0103 0307                 .QX..Q....
12:12:11.741135 IP localhost.50378 > localhost.hello: Flags [P.], seq 1:15, ack 15, win 342, options [nop,nop,TS val 1487272461 ecr 1487269713], length 14
	0x0000:  0000 0000 0000 0000 0000 0000 0800 4500  ..............E.
	0x0010:  0042 2679 4000 4006 163b 7f00 0001 7f00  .B&y@.@..;......
	0x0020:  0001 c4ca 06fd 2491 c928 2178 adcf 8018  ......$..(!x....
	0x0030:  0156 fe36 0000 0101 080a 58a5 fa0d 58a5  .V.6......X...X.
	0x0040:  ef51 7b39 7d0d 0a41 4e4f 4e59 4d4f 5553  .Q{9}..ANONYMOUS
12:12:11.741183 IP localhost.hello > localhost.50378: Flags [.], ack 15, win 342, options [nop,nop,TS val 1487272461 ecr 1487272461], length 0
	0x0000:  0000 0000 0000 0000 0000 0000 0800 4500  ..............E.
	0x0010:  0034 4291 4000 4006 fa30 7f00 0001 7f00  .4B.@.@..0......
	0x0020:  0001 06fd c4ca 2178 adcf 2491 c936 8010  ......!x..$..6..
	0x0030:  0156 fe28 0000 0101 080a 58a5 fa0d 58a5  .V.(......X...X.
	0x0040:  fa0d                                     ..
12:12:11.741193 IP localhost.50378 > localhost.hello: Flags [P.], seq 15:48, ack 15, win 342, options [nop,nop,TS val 1487272461 ecr 1487272461], length 33
	0x0000:  0000 0000 0000 0000 0000 0000 0800 4500  ..............E.
	0x0010:  0055 267a 4000 4006 1627 7f00 0001 7f00  .U&z@.@..'......
	0x0020:  0001 c4ca 06fd 2491 c936 2178 adcf 8018  ......$..6!x....
	0x0030:  0156 fe49 0000 0101 080a 58a5 fa0d 58a5  .V.I......X...X.
	0x0040:  fa0d 7b31 7d0d 0a59 7b32 317d 0d0a 4144  ..{1}..Y{21}..AD
	0x0050:  4d49 594f 4061 796f 756e 6735 3431 2e74  MIYO@ayoung541.t
	0x0060:  6573 74                                  est
12:12:11.741198 IP localhost.hello > localhost.50378: Flags [.], ack 48, win 342, options [nop,nop,TS val 1487272461 ecr 1487272461], length 0
	0x0000:  0000 0000 0000 0000 0000 0000 0800 4500  ..............E.
	0x0010:  0034 4292 4000 4006 fa2f 7f00 0001 7f00  .4B.@.@../......
	0x0020:  0001 06fd c4ca 2178 adcf 2491 c957 8010  ......!x..$..W..
	0x0030:  0156 fe28 0000 0101 080a 58a5 fa0d 58a5  .V.(......X...X.
	0x0040:  fa0d                                     ..
12:12:11.741248 IP localhost.hello > localhost.50378: Flags [P.], seq 15:16, ack 48, win 342, options [nop,nop,TS val 1487272461 ecr 1487272461], length 1
	0x0000:  0000 0000 0000 0000 0000 0000 0800 4500  ..............E.
	0x0010:  0035 4293 4000 4006 fa2d 7f00 0001 7f00  .5B.@.@..-......
	0x0020:  0001 06fd c4ca 2178 adcf 2491 c957 8018  ......!x..$..W..
	0x0030:  0156 fe29 0000 0101 080a 58a5 fa0d 58a5  .V.)......X...X.
	0x0040:  fa0d 4f                                  ..O
12:12:11.741260 IP localhost.50378 > localhost.hello: Flags [.], ack 16, win 342, options [nop,nop,TS val 1487272461 ecr 1487272461], length 0
	0x0000:  0000 0000 0000 0000 0000 0000 0800 4500  ..............E.
	0x0010:  0034 267b 4000 4006 1647 7f00 0001 7f00  .4&{@.@..G......
	0x0020:  0001 c4ca 06fd 2491 c957 2178 add0 8010  ......$..W!x....
	0x0030:  0156 fe28 0000 0101 080a 58a5 fa0d 58a5  .V.(......X...X.
	0x0040:  fa0d                                     ..
12:12:11.741263 IP localhost.hello > localhost.50378: Flags [F.], seq 16, ack 48, win 342, options [nop,nop,TS val 1487272461 ecr 1487272461], length 0
	0x0000:  0000 0000 0000 0000 0000 0000 0800 4500  ..............E.
	0x0010:  0034 4294 4000 4006 fa2d 7f00 0001 7f00  .4B.@.@..-......
	0x0020:  0001 06fd c4ca 2178 add0 2491 c957 8011  ......!x..$..W..
	0x0030:  0156 fe28 0000 0101 080a 58a5 fa0d 58a5  .V.(......X...X.
	0x0040:  fa0d                                     ..
12:12:11.741285 IP localhost.hello > localhost.50378: Flags [.], ack 49, win 342, options [nop,nop,TS val 1487272461 ecr 1487272461], length 0
	0x0000:  0000 0000 0000 0000 0000 0000 0800 4500  ..............E.
	0x0010:  0034 4295 4000 4006 fa2c 7f00 0001 7f00  .4B.@.@..,......
	0x0020:  0001 06fd c4ca 2178 add1 2491 c958 8010  ......!x..$..X..
	0x0030:  0156 fe28 0000 0101 080a 58a5 fa0d 58a5  .V.(......X...X.
	0x0040:  fa0d                                     ..

But running with -s hello shows nothing. Is it running on a different port? Let’s use LSOF to check. First run the server with the -s hello flag set. Then run lsof to see what is going on;

$ ps -ef | grep sasl
ayoung    2513 25933  0 12:14 pts/1    00:00:00 /usr/bin/sasl2-sample-server -h localhost -s hello -m ANONYMOUS
$ sudo lsof -p 2513  | grep TCP
sasl2-sam 2513 ayoung    3u  IPv4 26451981      0t0      TCP *:italk (LISTEN)
$ getent services italk
italk                 12345/tcp

Let’s see if tcpdump can confirm. Run it like this:

$ sudo  tcpdump -XX -i lo port 12345

And after running both server and client with -p hello I see

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes




12:18:48.995740 IP6 localhost.38730 > localhost.italk: Flags [S], seq 2085322154, win 43690, options [mss 65476,sackOK,TS val 1487669716 ecr 0,nop,wscale 7], length 0
	0x0000:  0000 0000 0000 0000 0000 0000 86dd 600a  ..............`.
	0x0010:  8706 0028 0640 0000 0000 0000 0000 0000  ...(.@..........
	0x0020:  0000 0000 0001 0000 0000 0000 0000 0000  ................
	0x0030:  0000 0000 0001 974a 3039 7c4b 7daa 0000  .......J09|K}...
	0x0040:  0000 a002 aaaa 0030 0000 0204 ffc4 0402  .......0........
	0x0050:  080a 58ac 09d4 0000 0000 0103 0307       ..X...........
12:18:48.995764 IP6 localhost.italk > localhost.38730: Flags [R.], seq 0, ack 2085322155, win 0, length 0
	0x0000:  0000 0000 0000 0000 0000 0000 86dd 600f  ..............`.
	0x0010:  e905 0014 0640 0000 0000 0000 0000 0000  .....@..........
	0x0020:  0000 0000 0001 0000 0000 0000 0000 0000  ................
	0x0030:  0000 0000 0001 3039 974a 0000 0000 7c4b  ......09.J....|K
	0x0040:  7dab 5014 0000 001c 0000                 }.P.......
12:18:48.995808 IP localhost.45714 > localhost.italk: Flags [S], seq 4246244983, win 43690, options [mss 65495,sackOK,TS val 1487669716 ecr 0,nop,wscale 7], length 0
	0x0000:  0000 0000 0000 0000 0000 0000 0800 4500  ..............E.
	0x0010:  003c 87a3 4000 4006 b516 7f00 0001 7f00  .<..@.@.........
	0x0020:  0001 b292 3039 fd18 8e77 0000 0000 a002  ....09...w......
	0x0030:  aaaa fe30 0000 0204 ffd7 0402 080a 58ac  ...0..........X.
	0x0040:  09d4 0000 0000 0103 0307                 ..........
12:18:48.995820 IP localhost.italk > localhost.45714: Flags [S.], seq 1101043017, ack 4246244984, win 43690, options [mss 65495,sackOK,TS val 1487669716 ecr 1487669716,nop,wscale 7], length 0
	0x0000:  0000 0000 0000 0000 0000 0000 0800 4500  ..............E.
	0x0010:  003c 0000 4000 4006 3cba 7f00 0001 7f00  .<..@.@.<.......
	0x0020:  0001 3039 b292 41a0 9549 fd18 8e78 a012  ..09..A..I...x..
	0x0030:  aaaa fe30 0000 0204 ffd7 0402 080a 58ac  ...0..........X.
	0x0040:  09d4 58ac 09d4 0103 0307                 ..X.......
12:18:52.072280 IP localhost.45714 > localhost.italk: Flags [P.], seq 1:15, ack 15, win 342, options [nop,nop,TS val 1487672792 ecr 1487669716], length 14
	0x0000:  0000 0000 0000 0000 0000 0000 0800 4500  ..............E.
	0x0010:  0042 87a6 4000 4006 b50d 7f00 0001 7f00  .B..@.@.........
	0x0020:  0001 b292 3039 fd18 8e78 41a0 9558 8018  ....09...xA..X..
	0x0030:  0156 fe36 0000 0101 080a 58ac 15d8 58ac  .V.6......X...X.
	0x0040:  09d4 7b39 7d0d 0a41 4e4f 4e59 4d4f 5553  ..{9}..ANONYMOUS
12:18:52.072343 IP localhost.italk > localhost.45714: Flags [.], ack 15, win 342, options [nop,nop,TS val 1487672792 ecr 1487672792], length 0
	0x0000:  0000 0000 0000 0000 0000 0000 0800 4500  ..............E.
	0x0010:  0034 9c9f 4000 4006 a022 7f00 0001 7f00  .4..@.@.."......
	0x0020:  0001 3039 b292 41a0 9558 fd18 8e86 8010  ..09..A..X......
	0x0030:  0156 fe28 0000 0101 080a 58ac 15d8 58ac  .V.(......X...X.
	0x0040:  15d8                                     ..
12:18:52.072358 IP localhost.45714 > localhost.italk: Flags [P.], seq 15:48, ack 15, win 342, options [nop,nop,TS val 1487672792 ecr 1487672792], length 33
	0x0000:  0000 0000 0000 0000 0000 0000 0800 4500  ..............E.
	0x0010:  0055 87a7 4000 4006 b4f9 7f00 0001 7f00  .U..@.@.........
	0x0020:  0001 b292 3039 fd18 8e86 41a0 9558 8018  ....09....A..X..
	0x0030:  0156 fe49 0000 0101 080a 58ac 15d8 58ac  .V.I......X...X.
	0x0040:  15d8 7b31 7d0d 0a59 7b32 317d 0d0a 4144  ..{1}..Y{21}..AD
	0x0050:  4d49 594f 4061 796f 756e 6735 3431 2e74  MIYO@ayoung541.t
	0x0060:  6573 74                                  est
12:18:52.072366 IP localhost.italk > localhost.45714: Flags [.], ack 48, win 342, options [nop,nop,TS val 1487672792 ecr 1487672792], length 0
	0x0000:  0000 0000 0000 0000 0000 0000 0800 4500  ..............E.
	0x0010:  0034 9ca0 4000 4006 a021 7f00 0001 7f00  .4..@.@..!......
	0x0020:  0001 3039 b292 41a0 9558 fd18 8ea7 8010  ..09..A..X......
	0x0030:  0156 fe28 0000 0101 080a 58ac 15d8 58ac  .V.(......X...X.
	0x0040:  15d8                                     ..
12:18:52.072464 IP localhost.italk > localhost.45714: Flags [P.], seq 15:16, ack 48, win 342, options [nop,nop,TS val 1487672792 ecr 1487672792], length 1
	0x0000:  0000 0000 0000 0000 0000 0000 0800 4500  ..............E.
	0x0010:  0035 9ca1 4000 4006 a01f 7f00 0001 7f00  .5..@.@.........
	0x0020:  0001 3039 b292 41a0 9558 fd18 8ea7 8018  ..09..A..X......
	0x0030:  0156 fe29 0000 0101 080a 58ac 15d8 58ac  .V.)......X...X.
	0x0040:  15d8 4f                                  ..O
12:18:52.072494 IP localhost.45714 > localhost.italk: Flags [.], ack 16, win 342, options [nop,nop,TS val 1487672792 ecr 1487672792], length 0
	0x0000:  0000 0000 0000 0000 0000 0000 0800 4500  ..............E.
	0x0010:  0034 87a8 4000 4006 b519 7f00 0001 7f00  .4..@.@.........
	0x0020:  0001 b292 3039 fd18 8ea7 41a0 9559 8010  ....09....A..Y..
	0x0030:  0156 fe28 0000 0101 080a 58ac 15d8 58ac  .V.(......X...X.
	0x0040:  15d8                                     ..
12:18:52.072501 IP localhost.italk > localhost.45714: Flags [F.], seq 16, ack 48, win 342, options [nop,nop,TS val 1487672792 ecr 1487672792], length 0
	0x0000:  0000 0000 0000 0000 0000 0000 0800 4500  ..............E.
	0x0010:  0034 9ca2 4000 4006 a01f 7f00 0001 7f00  .4..@.@.........
	0x0020:  0001 3039 b292 41a0 9559 fd18 8ea7 8011  ..09..A..Y......
	0x0030:  0156 fe28 0000 0101 080a 58ac 15d8 58ac  .V.(......X...X.
	0x0040:  15d8                                     ..
12:18:52.072529 IP localhost.italk > localhost.45714: Flags [.], ack 49, win 342, options [nop,nop,TS val 1487672792 ecr 1487672792], length 0
	0x0000:  0000 0000 0000 0000 0000 0000 0800 4500  ..............E.
	0x0010:  0034 9ca3 4000 4006 a01e 7f00 0001 7f00  .4..@.@.........
	0x0020:  0001 3039 b292 41a0 955a fd18 8ea8 8010  ..09..A..Z......
	0x0030:  0156 fe28 0000 0101 080a 58ac 15d8 58ac  .V.(......X...X.
	0x0040:  15d8                                     ..

As a final test, let’s see what happens when I tell the client to use that port explicitly. Running:

 sasl2-sample-client -p 12345 -m ANONYMOUS localhost

Generates the proper output:

receiving capability list... recv: {9}
ANONYMOUS
ANONYMOUS
please enter an authorization id: ADMIYO
using mechanism ANONYMOUS
send: {9}
ANONYMOUS
send: {1}
Y
send: {21}
ADMIYO@ayoung541.test
waiting for server reply...
successful authentication
closing connection

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.