In SASL authentication, are the messages between a particular client and server the same every time

Posted by karenc on Server Fault See other posts from Server Fault or by karenc
Published on 2010-01-22T21:59:53Z Indexed on 2010/04/02 16:03 UTC
Read the original article Hit count: 515

Filed under:
|
|

I wrote a test client and server using the Cyrus SASL library, and I'm manually forcing it to select GSSAPI as the mechanism. While debugging, I printed the md5sum of each message as it was passed between the two. I noticed that the sequence seems to be the same every time I connect. That is, if the message sequence on the first negotiation was clientMessage1, serverResponse1, clientMessage2, etc... to successful authentication, if I then restart my client, the same clientMessage1, serverResponse2, clientMessage2,etc... sequence is repeated.

It seems to me like it would be a security concern. Is this the correct behavior and if so, should I be wrapping these communications in TLS or something?

© Server Fault or respective owner

Related posts about authentication

Related posts about sasl