Re: memcached + SASL: Password verification failed
t/binary-sasl.t under memcached/memcached should show you examples of how
to authenticate. You should be able to just hack up the test to get more
information about what the password files look like/etc. it writes it out
to tmp.
seems some systems require the @hostname and some don't (mine doesn't, I
haven't looked into why)
On Tue, 19 Mar 2019, Jiuming Shao wrote:
> Thanks for getting back to me! I referred to that because memcached/memcached
> does not tell me how the binary protocol packets for SASL
> AUTH looks like. For all the server configuration and db setup, I followed
> https://github.com/memcached/memcached/wiki/SASLHowto
> and https://github.com/memcached/memcached/wiki/SASLAuthProtocol
> Please let me know when you have time to take a closer look.
>
> Cheers!
> Jiuming
>
> dormando 于2019年3月18日周一 下午4:10写道:
> Hey,
>
> Can look more closely later, but a few quick things that might help:
>
> 1) stick to memcached/memcached on github - that's an old couchbase fork
> you linked to. If you're using couchbase you need to talk to them
> instead.
>
> 2) in the t/ dir there're some unit tests for SASL which might help you
> understand the workflow better.
>
> On Mon, 18 Mar 2019, Jiuming Shao wrote:
>
> > Hey all,
> > I am writing my own implementation of a memcachedClient within which
> I want to add authentication. I just started with
> PLAIN auth but
> > failed.
> >
> > My main reference is this one
> https://github.com/couchbase/memcached/blob/master/docs/sasl.md
> > My guess is that the binary message I am sending through the wire was
> wrong, thus it could never match with the secret I
> store in the db
> > file.
> > After searching around, I found out the SASL_AUTH(0X21) is also a
> key-value like operation, where the key is the auth
> mechanism, and the
> > value being auth data. The tricky part is how I put them in the
> outgoing request.
> >
> > Please correct me if i am wrong, below is an example of PLAIN auth
> request
> > 1. The auth mechanism comes right after the header. in this case
> 'PLAIN'
> > 2. A NULL byte comes after the "key" -> "PLAIN". In this case byte #
> 29.
> > 3. Then comes the user@hostName
> > 4. A NULL bytes comes after user@hostname. In this case byte # 34
> > 5. The last part is the password
> >
> > Byte/ 0 | 1 | 2 | 3 |
> > / | | | |
> > |0 1 2 3 4 5 6 7|0 1 2 3 4 5 6 7|0 1 2 3 4 5 6 7|0 1 2 3 4 5 6 7|
> > +---+---+---+---+
> > 0| 0x80 | 0x21 | 0x00 | 0x05 |
> > +---+---+---+---+
> > 4| 0x00 | 0x00 | 0x00 | 0x00 |
> > +---+---+---+---+
> > 8| 0x00 | 0x00 | 0x00 | 0x11 |
> > +---+---+---+---+
> > 12| 0x00 | 0x00 | 0x00 | 0x00 |
> > +---+---+---+---+
> > 16| 0x00 | 0x00 | 0x00 | 0x00 |
> > +---+---+---+---+
> > 20| 0x00 | 0x00 | 0x00 | 0x00 |
> > +---+---+---+---+
> > 24| 0x50 ('P') | 0x4c ('L') | 0x41 ('A') | 0x49 ('I') |
> > +---+---+---+---+
> > 28| 0x4e ('N') | 0x00 | 0x75 ('u') | 0x73 ('s') |
> > +---+---+---+---+
> > 32| 0x65 ('e') | 0x72 ('r') | 0x00 | 0x70 ('p') |
> > +---+---+---+---+
> > 36| 0x65 ('e') | 0x6e ('n') | 0x63 ('c') | 0x69 ('i') |
> > +---+---+---+---+
> > 40| 0x6c ('l') |
> > +---+
> > Total 41 bytes (24 bytes header, 5 bytes key and 12 value)
> >
> > Field (offset) (value)
> > Magic (0) : 0x80
> > Opcode (1) : 0x21
> > Key length (2,3) : 0x0005
> > Extra length (4) : 0x00
> > Data type (5) : 0x00
> > Vbucket (6,7) : 0x
> > Total body (8-11) : 0x0011
> > Opaque (12-15): 0x
> > CAS (16-23): 0x
> >
> > What could be wrong?
> > * In my memcached-sasl-db,
Re: memcached + SASL: Password verification failed
Thanks for getting back to me! I referred to that because
memcached/memcached does not tell me how the binary protocol packets for
SASL AUTH looks like. For all the server configuration and db setup, I
followed https://github.com/memcached/memcached/wiki/SASLHowto and
https://github.com/memcached/memcached/wiki/SASLAuthProtocol
Please let me know when you have time to take a closer look.
Cheers!
Jiuming
dormando 于2019年3月18日周一 下午4:10写道:
> Hey,
>
> Can look more closely later, but a few quick things that might help:
>
> 1) stick to memcached/memcached on github - that's an old couchbase fork
> you linked to. If you're using couchbase you need to talk to them instead.
>
> 2) in the t/ dir there're some unit tests for SASL which might help you
> understand the workflow better.
>
> On Mon, 18 Mar 2019, Jiuming Shao wrote:
>
> > Hey all,
> > I am writing my own implementation of a memcachedClient within which I
> want to add authentication. I just started with PLAIN auth but
> > failed.
> >
> > My main reference is this one
> https://github.com/couchbase/memcached/blob/master/docs/sasl.md
> > My guess is that the binary message I am sending through the wire was
> wrong, thus it could never match with the secret I store in the db
> > file.
> > After searching around, I found out the SASL_AUTH(0X21) is also a
> key-value like operation, where the key is the auth mechanism, and the
> > value being auth data. The tricky part is how I put them in the outgoing
> request.
> >
> > Please correct me if i am wrong, below is an example of PLAIN auth
> request
> > 1. The auth mechanism comes right after the header. in this case 'PLAIN'
> > 2. A NULL byte comes after the "key" -> "PLAIN". In this case byte # 29.
> > 3. Then comes the user@hostName
> > 4. A NULL bytes comes after user@hostname. In this case byte # 34
> > 5. The last part is the password
> >
> > Byte/ 0 | 1 | 2 | 3 |
> > / | | | |
> > |0 1 2 3 4 5 6 7|0 1 2 3 4 5 6 7|0 1 2 3 4 5 6 7|0 1 2 3 4 5 6 7|
> > +---+---+---+---+
> >0| 0x80 | 0x21 | 0x00 | 0x05 |
> > +---+---+---+---+
> >4| 0x00 | 0x00 | 0x00 | 0x00 |
> > +---+---+---+---+
> >8| 0x00 | 0x00 | 0x00 | 0x11 |
> > +---+---+---+---+
> > 12| 0x00 | 0x00 | 0x00 | 0x00 |
> > +---+---+---+---+
> > 16| 0x00 | 0x00 | 0x00 | 0x00 |
> > +---+---+---+---+
> > 20| 0x00 | 0x00 | 0x00 | 0x00 |
> > +---+---+---+---+
> > 24| 0x50 ('P')| 0x4c ('L')| 0x41 ('A')| 0x49 ('I')|
> > +---+---+---+---+
> > 28| 0x4e ('N')| 0x00 | 0x75 ('u')| 0x73 ('s')|
> > +---+---+---+---+
> > 32| 0x65 ('e')| 0x72 ('r')| 0x00 | 0x70 ('p')|
> > +---+---+---+---+
> > 36| 0x65 ('e')| 0x6e ('n')| 0x63 ('c')| 0x69 ('i')|
> > +---+---+---+---+
> > 40| 0x6c ('l')|
> > +---+
> > Total 41 bytes (24 bytes header, 5 bytes key and 12 value)
> >
> > Field(offset) (value)
> > Magic(0): 0x80
> > Opcode (1): 0x21
> > Key length (2,3) : 0x0005
> > Extra length (4): 0x00
> > Data type(5): 0x00
> > Vbucket (6,7) : 0x
> > Total body (8-11) : 0x0011
> > Opaque (12-15): 0x
> > CAS (16-23): 0x
> >
> > What could be wrong?
> > * In my memcached-sasl-db, should I store userName:password or
> username@hostName:password?
> > * Does the TotalLength of the message include the NULL bytes being
> added between authKey/authData and username/password?
> > * In my authData should I use \0x00userName\0x00password
> or \0x00userName@hostNname\0x00password?
> > * Any other suggestions?
> >
> > Best regards,
> > Jiuming
> >
> > Below are Logs and configurations for your references
> >
> > memcached logs: Below you will find that I did a LIST_MECH(0x20) and
> then did a SASL_AUTH(0X21)
> >
> > LRU crawler thread sleeping
> > <28 new binary client connection.
> > 28: going from conn_new_cmd to conn_waiting
> > 28: going from conn_waiting to conn_read
> > 28: going from conn_read to conn_closing
> > <28 connection closed.
> > 28: going from conn_closing to conn_closed
> >
