In SASL authentication, are the messages between a particular client and server the same every time
Posted
by karenc
on Server Fault
See other posts from Server Fault
or by karenc
Published on 2010-01-22T21:59:53Z
Indexed on
2010/04/02
16:03 UTC
Read the original article
Hit count: 515
I wrote a test client and server using the Cyrus SASL library, and I'm manually forcing it to select GSSAPI as the mechanism. While debugging, I printed the md5sum of each message as it was passed between the two. I noticed that the sequence seems to be the same every time I connect. That is, if the message sequence on the first negotiation was clientMessage1, serverResponse1, clientMessage2, etc... to successful authentication, if I then restart my client, the same clientMessage1, serverResponse2, clientMessage2,etc... sequence is repeated.
It seems to me like it would be a security concern. Is this the correct behavior and if so, should I be wrapping these communications in TLS or something?
© Server Fault or respective owner