O'Reilly logo

Kerberos: The Definitive Guide by Jason Garman

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

The Simple Authentication and Security Layer (SASL)

The Cyrus SASL project forms the basis for several other products’ authentication and session encryption support, most notably the Cyrus IMAP mail server and the OpenLDAP directory server. The Cyrus Simple Authentication and Security Layer (SASL) project provides an extensible framework for network protocol authentication. It is more generic than PAM in that SASL supports more complex authentication exchanges, such as Kerberos mutual authentication, and also supports the negotiation of a security layer (encryption) for later protocol exchanges once authentication is complete. SASL is documented as Internet RFC 2222.

SASL supports native Kerberos 5 authentication through the GSSAPI interface. Other authentication methods that SASL provides to applications include Kerberos 4 and standard /etc/password or /etc/shadow authentication (optionally through a privileged daemon process for services that don’t have the necessary privileges to read the system password database). In addition, SASL supports several database-backed authentication methods, including the sasldb, which uses a lightweight database such as Berkeley DB or GDBM to store username/password pairs, and a mysql driver that uses the MySQL database to store authentication secrets.

SASL also includes a daemon process, saslauthd, which can provide password-based Kerberos 5 support to SASL-based applications similar to that of PAM. We’ll cover how to build and enable this password ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required