Re: memcached + SASL: Password verification failed
Alright...cool.
Let me know if you ever successfully get DIGEST-MD5 working.
Have a great weekend!
Thanks and Regards,
Om Kale
Master of Science in Electrical and Computer Engineering
Georgia Institute of Technology
On Fri, Mar 22, 2019 at 3:23 PM Jiuming Shao
wrote:
> Hi Om,
>
> No. I just started with PLAIN as a PoC.
>
> Cheers!
>
> Om Kale 于2019年3月22日周五 下午3:17写道:
>
>> Hi Jiuming,
>> Were you able to make it work with DIGEST-MD5 instead of just PLAIN auth?
>>
>> Regards,
>> Om Kale
>> Master of Science in Electrical and Computer Engineering
>> Georgia Institute of Technology
>>
>>
>> On Fri, Mar 22, 2019 at 2:40 PM Jiuming Shao
>> wrote:
>>
>>> Thanks! I figured it out by postfixing `@memcached.realm` after my key.
>>>
>>> dormando 于2019年3月19日周二 上午10:49写道:
>>>
t/binary-sasl.t under memcached/memcached should show you examples of
how
to authenticate. You should be able to just hack up the test to get more
information about what the password files look like/etc. it writes it
out
to tmp.
seems some systems require the @hostname and some don't (mine doesn't, I
haven't looked into why)
On Tue, 19 Mar 2019, Jiuming Shao wrote:
> Thanks for getting back to me! I referred to that because
memcached/memcached does not tell me how the binary protocol packets for
SASL
> AUTH looks like. For all the server configuration and db setup, I
followed https://github.com/memcached/memcached/wiki/SASLHowto
> and https://github.com/memcached/memcached/wiki/SASLAuthProtocol
> Please let me know when you have time to take a closer look.
>
> Cheers!
> Jiuming
>
> dormando 于2019年3月18日周一 下午4:10写道:
> Hey,
>
> Can look more closely later, but a few quick things that might
help:
>
> 1) stick to memcached/memcached on github - that's an old
couchbase fork
> you linked to. If you're using couchbase you need to talk to
them instead.
>
> 2) in the t/ dir there're some unit tests for SASL which might
help you
> understand the workflow better.
>
> On Mon, 18 Mar 2019, Jiuming Shao wrote:
>
> > Hey all,
> > I am writing my own implementation of a memcachedClient
within which I want to add authentication. I just started with
> PLAIN auth but
> > failed.
> >
> > My main reference is this one
https://github.com/couchbase/memcached/blob/master/docs/sasl.md
> > My guess is that the binary message I am sending through the
wire was wrong, thus it could never match with the secret I
> store in the db
> > file.
> > After searching around, I found out the SASL_AUTH(0X21) is
also a key-value like operation, where the key is the auth
> mechanism, and the
> > value being auth data. The tricky part is how I put them in
the outgoing request.
> >
> > Please correct me if i am wrong, below is an example of PLAIN
auth request
> > 1. The auth mechanism comes right after the header. in this
case 'PLAIN'
> > 2. A NULL byte comes after the "key" -> "PLAIN". In this
case byte # 29.
> > 3. Then comes the user@hostName
> > 4. A NULL bytes comes after user@hostname. In this case
byte # 34
> > 5. The last part is the password
> >
> > Byte/ 0 | 1 | 2 | 3
|
> > / | | |
|
> > |0 1 2 3 4 5 6 7|0 1 2 3 4 5 6 7|0 1 2 3 4 5 6 7|0 1 2 3
4 5 6 7|
> >
+---+---+---+---+
> >0| 0x80 | 0x21 | 0x00 | 0x05
|
> >
+---+---+---+---+
> >4| 0x00 | 0x00 | 0x00 | 0x00
|
> >
+---+---+---+---+
> >8| 0x00 | 0x00 | 0x00 | 0x11
|
> >
+---+---+---+---+
> > 12| 0x00 | 0x00 | 0x00 | 0x00
|
> >
+---+---+---+---+
> > 16| 0x00 | 0x00 | 0x00 | 0x00
|
> >
+---+---+---+---+
> > 20| 0x00 | 0x00 | 0x00 | 0x00
|
> >
+---+---+---+---+
> > 24| 0x50 ('P')| 0x4c ('L')| 0x41 ('A')
Re: memcached + SASL: Password verification failed
Hi Om,
No. I just started with PLAIN as a PoC.
Cheers!
Om Kale 于2019年3月22日周五 下午3:17写道:
> Hi Jiuming,
> Were you able to make it work with DIGEST-MD5 instead of just PLAIN auth?
>
> Regards,
> Om Kale
> Master of Science in Electrical and Computer Engineering
> Georgia Institute of Technology
>
>
> On Fri, Mar 22, 2019 at 2:40 PM Jiuming Shao
> wrote:
>
>> Thanks! I figured it out by postfixing `@memcached.realm` after my key.
>>
>> dormando 于2019年3月19日周二 上午10:49写道:
>>
>>> t/binary-sasl.t under memcached/memcached should show you examples of how
>>> to authenticate. You should be able to just hack up the test to get more
>>> information about what the password files look like/etc. it writes it out
>>> to tmp.
>>>
>>> seems some systems require the @hostname and some don't (mine doesn't, I
>>> haven't looked into why)
>>>
>>> On Tue, 19 Mar 2019, Jiuming Shao wrote:
>>>
>>> > Thanks for getting back to me! I referred to that because
>>> memcached/memcached does not tell me how the binary protocol packets for
>>> SASL
>>> > AUTH looks like. For all the server configuration and db setup, I
>>> followed https://github.com/memcached/memcached/wiki/SASLHowto
>>> > and https://github.com/memcached/memcached/wiki/SASLAuthProtocol
>>> > Please let me know when you have time to take a closer look.
>>> >
>>> > Cheers!
>>> > Jiuming
>>> >
>>> > dormando 于2019年3月18日周一 下午4:10写道:
>>> > Hey,
>>> >
>>> > Can look more closely later, but a few quick things that might
>>> help:
>>> >
>>> > 1) stick to memcached/memcached on github - that's an old
>>> couchbase fork
>>> > you linked to. If you're using couchbase you need to talk to
>>> them instead.
>>> >
>>> > 2) in the t/ dir there're some unit tests for SASL which might
>>> help you
>>> > understand the workflow better.
>>> >
>>> > On Mon, 18 Mar 2019, Jiuming Shao wrote:
>>> >
>>> > > Hey all,
>>> > > I am writing my own implementation of a memcachedClient within
>>> which I want to add authentication. I just started with
>>> > PLAIN auth but
>>> > > failed.
>>> > >
>>> > > My main reference is this one
>>> https://github.com/couchbase/memcached/blob/master/docs/sasl.md
>>> > > My guess is that the binary message I am sending through the
>>> wire was wrong, thus it could never match with the secret I
>>> > store in the db
>>> > > file.
>>> > > After searching around, I found out the SASL_AUTH(0X21) is
>>> also a key-value like operation, where the key is the auth
>>> > mechanism, and the
>>> > > value being auth data. The tricky part is how I put them in
>>> the outgoing request.
>>> > >
>>> > > Please correct me if i am wrong, below is an example of PLAIN
>>> auth request
>>> > > 1. The auth mechanism comes right after the header. in this
>>> case 'PLAIN'
>>> > > 2. A NULL byte comes after the "key" -> "PLAIN". In this case
>>> byte # 29.
>>> > > 3. Then comes the user@hostName
>>> > > 4. A NULL bytes comes after user@hostname. In this case byte
>>> # 34
>>> > > 5. The last part is the password
>>> > >
>>> > > Byte/ 0 | 1 | 2 | 3
>>>|
>>> > > / | | |
>>> |
>>> > > |0 1 2 3 4 5 6 7|0 1 2 3 4 5 6 7|0 1 2 3 4 5 6 7|0 1 2 3 4
>>> 5 6 7|
>>> > >
>>> +---+---+---+---+
>>> > >0| 0x80 | 0x21 | 0x00 | 0x05
>>> |
>>> > >
>>> +---+---+---+---+
>>> > >4| 0x00 | 0x00 | 0x00 | 0x00
>>> |
>>> > >
>>> +---+---+---+---+
>>> > >8| 0x00 | 0x00 | 0x00 | 0x11
>>> |
>>> > >
>>> +---+---+---+---+
>>> > > 12| 0x00 | 0x00 | 0x00 | 0x00
>>> |
>>> > >
>>> +---+---+---+---+
>>> > > 16| 0x00 | 0x00 | 0x00 | 0x00
>>> |
>>> > >
>>> +---+---+---+---+
>>> > > 20| 0x00 | 0x00 | 0x00 | 0x00
>>> |
>>> > >
>>> +---+---+---+---+
>>> > > 24| 0x50 ('P')| 0x4c ('L')| 0x41 ('A')| 0x49
>>> ('I')|
>>> > >
>>> +---+---+---+---+
>>> > > 28| 0x4e ('N')| 0x00 | 0x75 ('u')| 0x73
>>> ('s')|
>>> > >
>>> +---+---+---+---+
>>> > > 32| 0x65 ('e')| 0x72 ('r')| 0x00 | 0x70
>>> ('p')|
>>> > >
>>>
Re: memcached + SASL: Password verification failed
Hi Jiuming,
Were you able to make it work with DIGEST-MD5 instead of just PLAIN auth?
Regards,
Om Kale
Master of Science in Electrical and Computer Engineering
Georgia Institute of Technology
On Fri, Mar 22, 2019 at 2:40 PM Jiuming Shao
wrote:
> Thanks! I figured it out by postfixing `@memcached.realm` after my key.
>
> dormando 于2019年3月19日周二 上午10:49写道:
>
>> t/binary-sasl.t under memcached/memcached should show you examples of how
>> to authenticate. You should be able to just hack up the test to get more
>> information about what the password files look like/etc. it writes it out
>> to tmp.
>>
>> seems some systems require the @hostname and some don't (mine doesn't, I
>> haven't looked into why)
>>
>> On Tue, 19 Mar 2019, Jiuming Shao wrote:
>>
>> > Thanks for getting back to me! I referred to that because
>> memcached/memcached does not tell me how the binary protocol packets for
>> SASL
>> > AUTH looks like. For all the server configuration and db setup, I
>> followed https://github.com/memcached/memcached/wiki/SASLHowto
>> > and https://github.com/memcached/memcached/wiki/SASLAuthProtocol
>> > Please let me know when you have time to take a closer look.
>> >
>> > Cheers!
>> > Jiuming
>> >
>> > dormando 于2019年3月18日周一 下午4:10写道:
>> > Hey,
>> >
>> > Can look more closely later, but a few quick things that might
>> help:
>> >
>> > 1) stick to memcached/memcached on github - that's an old
>> couchbase fork
>> > you linked to. If you're using couchbase you need to talk to them
>> instead.
>> >
>> > 2) in the t/ dir there're some unit tests for SASL which might
>> help you
>> > understand the workflow better.
>> >
>> > On Mon, 18 Mar 2019, Jiuming Shao wrote:
>> >
>> > > Hey all,
>> > > I am writing my own implementation of a memcachedClient within
>> which I want to add authentication. I just started with
>> > PLAIN auth but
>> > > failed.
>> > >
>> > > My main reference is this one
>> https://github.com/couchbase/memcached/blob/master/docs/sasl.md
>> > > My guess is that the binary message I am sending through the
>> wire was wrong, thus it could never match with the secret I
>> > store in the db
>> > > file.
>> > > After searching around, I found out the SASL_AUTH(0X21) is also
>> a key-value like operation, where the key is the auth
>> > mechanism, and the
>> > > value being auth data. The tricky part is how I put them in the
>> outgoing request.
>> > >
>> > > Please correct me if i am wrong, below is an example of PLAIN
>> auth request
>> > > 1. The auth mechanism comes right after the header. in this
>> case 'PLAIN'
>> > > 2. A NULL byte comes after the "key" -> "PLAIN". In this case
>> byte # 29.
>> > > 3. Then comes the user@hostName
>> > > 4. A NULL bytes comes after user@hostname. In this case byte
>> # 34
>> > > 5. The last part is the password
>> > >
>> > > Byte/ 0 | 1 | 2 | 3
>>|
>> > > / | | |
>> |
>> > > |0 1 2 3 4 5 6 7|0 1 2 3 4 5 6 7|0 1 2 3 4 5 6 7|0 1 2 3 4
>> 5 6 7|
>> > >
>> +---+---+---+---+
>> > >0| 0x80 | 0x21 | 0x00 | 0x05
>> |
>> > >
>> +---+---+---+---+
>> > >4| 0x00 | 0x00 | 0x00 | 0x00
>> |
>> > >
>> +---+---+---+---+
>> > >8| 0x00 | 0x00 | 0x00 | 0x11
>> |
>> > >
>> +---+---+---+---+
>> > > 12| 0x00 | 0x00 | 0x00 | 0x00
>> |
>> > >
>> +---+---+---+---+
>> > > 16| 0x00 | 0x00 | 0x00 | 0x00
>> |
>> > >
>> +---+---+---+---+
>> > > 20| 0x00 | 0x00 | 0x00 | 0x00
>> |
>> > >
>> +---+---+---+---+
>> > > 24| 0x50 ('P')| 0x4c ('L')| 0x41 ('A')| 0x49
>> ('I')|
>> > >
>> +---+---+---+---+
>> > > 28| 0x4e ('N')| 0x00 | 0x75 ('u')| 0x73
>> ('s')|
>> > >
>> +---+---+---+---+
>> > > 32| 0x65 ('e')| 0x72 ('r')| 0x00 | 0x70
>> ('p')|
>> > >
>> +---+---+---+---+
>> > > 36| 0x65 ('e')| 0x6e ('n')| 0x63 ('c')| 0x69
>> ('i')|
>> > >
>> +---+---+---+---+
>> > > 40| 0x6c
Re: memcached + SASL: Password verification failed
Thanks! I figured it out by postfixing `@memcached.realm` after my key.
dormando 于2019年3月19日周二 上午10:49写道:
> t/binary-sasl.t under memcached/memcached should show you examples of how
> to authenticate. You should be able to just hack up the test to get more
> information about what the password files look like/etc. it writes it out
> to tmp.
>
> seems some systems require the @hostname and some don't (mine doesn't, I
> haven't looked into why)
>
> On Tue, 19 Mar 2019, Jiuming Shao wrote:
>
> > Thanks for getting back to me! I referred to that because
> memcached/memcached does not tell me how the binary protocol packets for
> SASL
> > AUTH looks like. For all the server configuration and db setup, I
> followed https://github.com/memcached/memcached/wiki/SASLHowto
> > and https://github.com/memcached/memcached/wiki/SASLAuthProtocol
> > Please let me know when you have time to take a closer look.
> >
> > Cheers!
> > Jiuming
> >
> > dormando 于2019年3月18日周一 下午4:10写道:
> > Hey,
> >
> > Can look more closely later, but a few quick things that might
> help:
> >
> > 1) stick to memcached/memcached on github - that's an old
> couchbase fork
> > you linked to. If you're using couchbase you need to talk to them
> instead.
> >
> > 2) in the t/ dir there're some unit tests for SASL which might
> help you
> > understand the workflow better.
> >
> > On Mon, 18 Mar 2019, Jiuming Shao wrote:
> >
> > > Hey all,
> > > I am writing my own implementation of a memcachedClient within
> which I want to add authentication. I just started with
> > PLAIN auth but
> > > failed.
> > >
> > > My main reference is this one
> https://github.com/couchbase/memcached/blob/master/docs/sasl.md
> > > My guess is that the binary message I am sending through the
> wire was wrong, thus it could never match with the secret I
> > store in the db
> > > file.
> > > After searching around, I found out the SASL_AUTH(0X21) is also
> a key-value like operation, where the key is the auth
> > mechanism, and the
> > > value being auth data. The tricky part is how I put them in the
> outgoing request.
> > >
> > > Please correct me if i am wrong, below is an example of PLAIN
> auth request
> > > 1. The auth mechanism comes right after the header. in this
> case 'PLAIN'
> > > 2. A NULL byte comes after the "key" -> "PLAIN". In this case
> byte # 29.
> > > 3. Then comes the user@hostName
> > > 4. A NULL bytes comes after user@hostname. In this case byte #
> 34
> > > 5. The last part is the password
> > >
> > > Byte/ 0 | 1 | 2 | 3
> |
> > > / | | |
>|
> > > |0 1 2 3 4 5 6 7|0 1 2 3 4 5 6 7|0 1 2 3 4 5 6 7|0 1 2 3 4 5
> 6 7|
> > >
> +---+---+---+---+
> > >0| 0x80 | 0x21 | 0x00 | 0x05
> |
> > >
> +---+---+---+---+
> > >4| 0x00 | 0x00 | 0x00 | 0x00
> |
> > >
> +---+---+---+---+
> > >8| 0x00 | 0x00 | 0x00 | 0x11
> |
> > >
> +---+---+---+---+
> > > 12| 0x00 | 0x00 | 0x00 | 0x00
> |
> > >
> +---+---+---+---+
> > > 16| 0x00 | 0x00 | 0x00 | 0x00
> |
> > >
> +---+---+---+---+
> > > 20| 0x00 | 0x00 | 0x00 | 0x00
> |
> > >
> +---+---+---+---+
> > > 24| 0x50 ('P')| 0x4c ('L')| 0x41 ('A')| 0x49
> ('I')|
> > >
> +---+---+---+---+
> > > 28| 0x4e ('N')| 0x00 | 0x75 ('u')| 0x73
> ('s')|
> > >
> +---+---+---+---+
> > > 32| 0x65 ('e')| 0x72 ('r')| 0x00 | 0x70
> ('p')|
> > >
> +---+---+---+---+
> > > 36| 0x65 ('e')| 0x6e ('n')| 0x63 ('c')| 0x69
> ('i')|
> > >
> +---+---+---+---+
> > > 40| 0x6c ('l')|
> > > +---+
> > > Total 41 bytes (24 bytes header, 5 bytes key and 12 value)
> > >
> > > Field(offset) (value)
> > > Magic(0): 0x80
> > > Opcode (1): 0x21
> > > Key length (2,3) : 0x0005
> > > Extra length (4): 0x00
> > > Data type(5): 0x00
> >
Re: memcached + SASL: Password verification failed
t/binary-sasl.t under memcached/memcached should show you examples of how
to authenticate. You should be able to just hack up the test to get more
information about what the password files look like/etc. it writes it out
to tmp.
seems some systems require the @hostname and some don't (mine doesn't, I
haven't looked into why)
On Tue, 19 Mar 2019, Jiuming Shao wrote:
> Thanks for getting back to me! I referred to that because memcached/memcached
> does not tell me how the binary protocol packets for SASL
> AUTH looks like. For all the server configuration and db setup, I followed
> https://github.com/memcached/memcached/wiki/SASLHowto
> and https://github.com/memcached/memcached/wiki/SASLAuthProtocol
> Please let me know when you have time to take a closer look.
>
> Cheers!
> Jiuming
>
> dormando 于2019年3月18日周一 下午4:10写道:
> Hey,
>
> Can look more closely later, but a few quick things that might help:
>
> 1) stick to memcached/memcached on github - that's an old couchbase fork
> you linked to. If you're using couchbase you need to talk to them
> instead.
>
> 2) in the t/ dir there're some unit tests for SASL which might help you
> understand the workflow better.
>
> On Mon, 18 Mar 2019, Jiuming Shao wrote:
>
> > Hey all,
> > I am writing my own implementation of a memcachedClient within which
> I want to add authentication. I just started with
> PLAIN auth but
> > failed.
> >
> > My main reference is this one
> https://github.com/couchbase/memcached/blob/master/docs/sasl.md
> > My guess is that the binary message I am sending through the wire was
> wrong, thus it could never match with the secret I
> store in the db
> > file.
> > After searching around, I found out the SASL_AUTH(0X21) is also a
> key-value like operation, where the key is the auth
> mechanism, and the
> > value being auth data. The tricky part is how I put them in the
> outgoing request.
> >
> > Please correct me if i am wrong, below is an example of PLAIN auth
> request
> > 1. The auth mechanism comes right after the header. in this case
> 'PLAIN'
> > 2. A NULL byte comes after the "key" -> "PLAIN". In this case byte #
> 29.
> > 3. Then comes the user@hostName
> > 4. A NULL bytes comes after user@hostname. In this case byte # 34
> > 5. The last part is the password
> >
> > Byte/ 0 | 1 | 2 | 3 |
> > / | | | |
> > |0 1 2 3 4 5 6 7|0 1 2 3 4 5 6 7|0 1 2 3 4 5 6 7|0 1 2 3 4 5 6 7|
> > +---+---+---+---+
> > 0| 0x80 | 0x21 | 0x00 | 0x05 |
> > +---+---+---+---+
> > 4| 0x00 | 0x00 | 0x00 | 0x00 |
> > +---+---+---+---+
> > 8| 0x00 | 0x00 | 0x00 | 0x11 |
> > +---+---+---+---+
> > 12| 0x00 | 0x00 | 0x00 | 0x00 |
> > +---+---+---+---+
> > 16| 0x00 | 0x00 | 0x00 | 0x00 |
> > +---+---+---+---+
> > 20| 0x00 | 0x00 | 0x00 | 0x00 |
> > +---+---+---+---+
> > 24| 0x50 ('P') | 0x4c ('L') | 0x41 ('A') | 0x49 ('I') |
> > +---+---+---+---+
> > 28| 0x4e ('N') | 0x00 | 0x75 ('u') | 0x73 ('s') |
> > +---+---+---+---+
> > 32| 0x65 ('e') | 0x72 ('r') | 0x00 | 0x70 ('p') |
> > +---+---+---+---+
> > 36| 0x65 ('e') | 0x6e ('n') | 0x63 ('c') | 0x69 ('i') |
> > +---+---+---+---+
> > 40| 0x6c ('l') |
> > +---+
> > Total 41 bytes (24 bytes header, 5 bytes key and 12 value)
> >
> > Field (offset) (value)
> > Magic (0) : 0x80
> > Opcode (1) : 0x21
> > Key length (2,3) : 0x0005
> > Extra length (4) : 0x00
> > Data type (5) : 0x00
> > Vbucket (6,7) : 0x
> > Total body (8-11) : 0x0011
> > Opaque (12-15): 0x
> > CAS (16-23): 0x
> >
> > What could be wrong?
> > * In my memcached-sasl-db,
Re: memcached + SASL: Password verification failed
Thanks for getting back to me! I referred to that because
memcached/memcached does not tell me how the binary protocol packets for
SASL AUTH looks like. For all the server configuration and db setup, I
followed https://github.com/memcached/memcached/wiki/SASLHowto and
https://github.com/memcached/memcached/wiki/SASLAuthProtocol
Please let me know when you have time to take a closer look.
Cheers!
Jiuming
dormando 于2019年3月18日周一 下午4:10写道:
> Hey,
>
> Can look more closely later, but a few quick things that might help:
>
> 1) stick to memcached/memcached on github - that's an old couchbase fork
> you linked to. If you're using couchbase you need to talk to them instead.
>
> 2) in the t/ dir there're some unit tests for SASL which might help you
> understand the workflow better.
>
> On Mon, 18 Mar 2019, Jiuming Shao wrote:
>
> > Hey all,
> > I am writing my own implementation of a memcachedClient within which I
> want to add authentication. I just started with PLAIN auth but
> > failed.
> >
> > My main reference is this one
> https://github.com/couchbase/memcached/blob/master/docs/sasl.md
> > My guess is that the binary message I am sending through the wire was
> wrong, thus it could never match with the secret I store in the db
> > file.
> > After searching around, I found out the SASL_AUTH(0X21) is also a
> key-value like operation, where the key is the auth mechanism, and the
> > value being auth data. The tricky part is how I put them in the outgoing
> request.
> >
> > Please correct me if i am wrong, below is an example of PLAIN auth
> request
> > 1. The auth mechanism comes right after the header. in this case 'PLAIN'
> > 2. A NULL byte comes after the "key" -> "PLAIN". In this case byte # 29.
> > 3. Then comes the user@hostName
> > 4. A NULL bytes comes after user@hostname. In this case byte # 34
> > 5. The last part is the password
> >
> > Byte/ 0 | 1 | 2 | 3 |
> > / | | | |
> > |0 1 2 3 4 5 6 7|0 1 2 3 4 5 6 7|0 1 2 3 4 5 6 7|0 1 2 3 4 5 6 7|
> > +---+---+---+---+
> >0| 0x80 | 0x21 | 0x00 | 0x05 |
> > +---+---+---+---+
> >4| 0x00 | 0x00 | 0x00 | 0x00 |
> > +---+---+---+---+
> >8| 0x00 | 0x00 | 0x00 | 0x11 |
> > +---+---+---+---+
> > 12| 0x00 | 0x00 | 0x00 | 0x00 |
> > +---+---+---+---+
> > 16| 0x00 | 0x00 | 0x00 | 0x00 |
> > +---+---+---+---+
> > 20| 0x00 | 0x00 | 0x00 | 0x00 |
> > +---+---+---+---+
> > 24| 0x50 ('P')| 0x4c ('L')| 0x41 ('A')| 0x49 ('I')|
> > +---+---+---+---+
> > 28| 0x4e ('N')| 0x00 | 0x75 ('u')| 0x73 ('s')|
> > +---+---+---+---+
> > 32| 0x65 ('e')| 0x72 ('r')| 0x00 | 0x70 ('p')|
> > +---+---+---+---+
> > 36| 0x65 ('e')| 0x6e ('n')| 0x63 ('c')| 0x69 ('i')|
> > +---+---+---+---+
> > 40| 0x6c ('l')|
> > +---+
> > Total 41 bytes (24 bytes header, 5 bytes key and 12 value)
> >
> > Field(offset) (value)
> > Magic(0): 0x80
> > Opcode (1): 0x21
> > Key length (2,3) : 0x0005
> > Extra length (4): 0x00
> > Data type(5): 0x00
> > Vbucket (6,7) : 0x
> > Total body (8-11) : 0x0011
> > Opaque (12-15): 0x
> > CAS (16-23): 0x
> >
> > What could be wrong?
> > * In my memcached-sasl-db, should I store userName:password or
> username@hostName:password?
> > * Does the TotalLength of the message include the NULL bytes being
> added between authKey/authData and username/password?
> > * In my authData should I use \0x00userName\0x00password
> or \0x00userName@hostNname\0x00password?
> > * Any other suggestions?
> >
> > Best regards,
> > Jiuming
> >
> > Below are Logs and configurations for your references
> >
> > memcached logs: Below you will find that I did a LIST_MECH(0x20) and
> then did a SASL_AUTH(0X21)
> >
> > LRU crawler thread sleeping
> > <28 new binary client connection.
> > 28: going from conn_new_cmd to conn_waiting
> > 28: going from conn_waiting to conn_read
> > 28: going from conn_read to conn_closing
> > <28 connection closed.
> > 28: going from conn_closing to conn_closed
> >
Re: memcached + SASL: Password verification failed
Hey,
Can look more closely later, but a few quick things that might help:
1) stick to memcached/memcached on github - that's an old couchbase fork
you linked to. If you're using couchbase you need to talk to them instead.
2) in the t/ dir there're some unit tests for SASL which might help you
understand the workflow better.
On Mon, 18 Mar 2019, Jiuming Shao wrote:
> Hey all,
> I am writing my own implementation of a memcachedClient within which I want
> to add authentication. I just started with PLAIN auth but
> failed.
>
> My main reference is this one
> https://github.com/couchbase/memcached/blob/master/docs/sasl.md
> My guess is that the binary message I am sending through the wire was wrong,
> thus it could never match with the secret I store in the db
> file.
> After searching around, I found out the SASL_AUTH(0X21) is also a key-value
> like operation, where the key is the auth mechanism, and the
> value being auth data. The tricky part is how I put them in the outgoing
> request.
>
> Please correct me if i am wrong, below is an example of PLAIN auth request
> 1. The auth mechanism comes right after the header. in this case 'PLAIN'
> 2. A NULL byte comes after the "key" -> "PLAIN". In this case byte # 29.
> 3. Then comes the user@hostName
> 4. A NULL bytes comes after user@hostname. In this case byte # 34
> 5. The last part is the password
>
> Byte/ 0 | 1 | 2 | 3 |
> / | | | |
> |0 1 2 3 4 5 6 7|0 1 2 3 4 5 6 7|0 1 2 3 4 5 6 7|0 1 2 3 4 5 6 7|
> +---+---+---+---+
>0| 0x80 | 0x21 | 0x00 | 0x05 |
> +---+---+---+---+
>4| 0x00 | 0x00 | 0x00 | 0x00 |
> +---+---+---+---+
>8| 0x00 | 0x00 | 0x00 | 0x11 |
> +---+---+---+---+
> 12| 0x00 | 0x00 | 0x00 | 0x00 |
> +---+---+---+---+
> 16| 0x00 | 0x00 | 0x00 | 0x00 |
> +---+---+---+---+
> 20| 0x00 | 0x00 | 0x00 | 0x00 |
> +---+---+---+---+
> 24| 0x50 ('P')| 0x4c ('L')| 0x41 ('A')| 0x49 ('I')|
> +---+---+---+---+
> 28| 0x4e ('N')| 0x00 | 0x75 ('u')| 0x73 ('s')|
> +---+---+---+---+
> 32| 0x65 ('e')| 0x72 ('r')| 0x00 | 0x70 ('p')|
> +---+---+---+---+
> 36| 0x65 ('e')| 0x6e ('n')| 0x63 ('c')| 0x69 ('i')|
> +---+---+---+---+
> 40| 0x6c ('l')|
> +---+
> Total 41 bytes (24 bytes header, 5 bytes key and 12 value)
>
> Field(offset) (value)
> Magic(0): 0x80
> Opcode (1): 0x21
> Key length (2,3) : 0x0005
> Extra length (4): 0x00
> Data type(5): 0x00
> Vbucket (6,7) : 0x
> Total body (8-11) : 0x0011
> Opaque (12-15): 0x
> CAS (16-23): 0x
>
> What could be wrong?
> * In my memcached-sasl-db, should I store userName:password or
> username@hostName:password?
> * Does the TotalLength of the message include the NULL bytes being added
> between authKey/authData and username/password?
> * In my authData should I use \0x00userName\0x00password or
> \0x00userName@hostNname\0x00password?
> * Any other suggestions?
>
> Best regards,
> Jiuming
>
> Below are Logs and configurations for your references
>
> memcached logs: Below you will find that I did a LIST_MECH(0x20) and then did
> a SASL_AUTH(0X21)
>
> LRU crawler thread sleeping
> <28 new binary client connection.
> 28: going from conn_new_cmd to conn_waiting
> 28: going from conn_waiting to conn_read
> 28: going from conn_read to conn_closing
> <28 connection closed.
> 28: going from conn_closing to conn_closed
> <28 new binary client connection.
> 28: going from conn_new_cmd to conn_waiting
> 28: going from conn_waiting to conn_read
> 28: going from conn_read to conn_parse_cmd
> <28 Read binary protocol data:
> <280x80 0x20 0x00 0x00
> <280x00 0x00 0x00 0x00
> <280x00 0x00 0x00 0x00
> <280x00 0x00 0x00 0x01
> <280x00 0x00 0x00 0x00
> <280x00 0x00 0x00 0x00
> authenticated() in cmd 0x20 is true
> >28 Writing bin response:
> >28 0x81 0x20 0x00 0x00
> >28 0x00 0x00 0x00 0x00
> >28 0x00 0x00 0x00 0x15
> >28 0x00 0x00 0x00 0x01
> >28 0x00 0x00 0x00 0x00
> >28 0x00 0x00 0x00 0x00
>
memcached + SASL: Password verification failed
Hey all,
I am writing my own implementation of a memcachedClient within which I want
to add authentication. I just started with PLAIN auth but failed.
My main reference is this
one https://github.com/couchbase/memcached/blob/master/docs/sasl.md
My guess is that the binary message I am sending through the wire was
wrong, thus it could never match with the secret I store in the db file.
After searching around, I found out the SASL_AUTH(0X21) is also a key-value
like operation, where the key is the auth mechanism, and the value being
auth data. The tricky part is how I put them in the outgoing request.
Please correct me if i am wrong, below is an example of PLAIN auth request
1. The auth mechanism comes right after the header. in this case 'PLAIN'
2. A NULL byte comes after the "key" -> "PLAIN". In this case byte # 29.
3. Then comes the user@hostName
4. A NULL bytes comes after user@hostname. In this case byte # 34
5. The last part is the password
Byte/ 0 | 1 | 2 | 3 |
/ | | | |
|0 1 2 3 4 5 6 7|0 1 2 3 4 5 6 7|0 1 2 3 4 5 6 7|0 1 2 3 4 5 6 7|
+---+---+---+---+
0| 0x80 | 0x21 | 0x00 | 0x05 |
+---+---+---+---+
4| 0x00 | 0x00 | 0x00 | 0x00 |
+---+---+---+---+
8| 0x00 | 0x00 | 0x00 | 0x11 |
+---+---+---+---+
12| 0x00 | 0x00 | 0x00 | 0x00 |
+---+---+---+---+
16| 0x00 | 0x00 | 0x00 | 0x00 |
+---+---+---+---+
20| 0x00 | 0x00 | 0x00 | 0x00 |
+---+---+---+---+
24| 0x50 ('P')| 0x4c ('L')| 0x41 ('A')| 0x49 ('I')|
+---+---+---+---+
28| 0x4e ('N')| 0x00 | 0x75 ('u')| 0x73 ('s')|
+---+---+---+---+
32| 0x65 ('e')| 0x72 ('r')| 0x00 | 0x70 ('p')|
+---+---+---+---+
36| 0x65 ('e')| 0x6e ('n')| 0x63 ('c')| 0x69 ('i')|
+---+---+---+---+
40| 0x6c ('l')|
+---+
Total 41 bytes (24 bytes header, 5 bytes key and 12 value)
Field(offset) (value)
Magic(0): 0x80
Opcode (1): 0x21
Key length (2,3) : 0x0005
Extra length (4): 0x00
Data type(5): 0x00
Vbucket (6,7) : 0x
Total body (8-11) : 0x0011
Opaque (12-15): 0x
CAS (16-23): 0x
What could be wrong?
- In my memcached-sasl-db, should I store userName:password or
username@hostName:password?
- Does the TotalLength of the message include the NULL bytes being added
between authKey/authData and username/password?
- In my authData should I use \0x00userName\0x00password or
\0x00userName@hostNname\0x00password?
- Any other suggestions?
Best regards,
Jiuming
*Below are Logs and configurations for your references*
memcached logs: Below you will find that I did a LIST_MECH(0x20) and then
did a SASL_AUTH(0X21)
LRU crawler thread sleeping
<28 new binary client connection.
28: going from conn_new_cmd to conn_waiting
28: going from conn_waiting to conn_read
28: going from conn_read to conn_closing
<28 connection closed.
28: going from conn_closing to conn_closed
<28 new binary client connection.
28: going from conn_new_cmd to conn_waiting
28: going from conn_waiting to conn_read
28: going from conn_read to conn_parse_cmd
<28 Read binary protocol data:
<280x80 0x20 0x00 0x00
<280x00 0x00 0x00 0x00
<280x00 0x00 0x00 0x00
<280x00 0x00 0x00 0x01
<280x00 0x00 0x00 0x00
<280x00 0x00 0x00 0x00
authenticated() in cmd 0x20 is true
>28 Writing bin response:
>28 0x81 0x20 0x00 0x00
>28 0x00 0x00 0x00 0x00
>28 0x00 0x00 0x00 0x15
>28 0x00 0x00 0x00 0x01
>28 0x00 0x00 0x00 0x00
>28 0x00 0x00 0x00 0x00
28: going from conn_parse_cmd to conn_mwrite
28: going from conn_mwrite to conn_new_cmd
28: going from conn_new_cmd to conn_waiting
28: going from conn_waiting to conn_read
28: going from conn_read to conn_parse_cmd
<28 Read binary protocol data:
<280x80 0x21 0x00 0x05
<280x00 0x00 0x00 0x00
<280x00 0x00 0x00 0x14
<280x00 0x00 0x00 0x02
<280x00 0x00 0x00 0x00
<280x00 0x00 0x00 0x00
authenticated() in cmd 0x21 is true
28: going from conn_parse_cmd to conn_nread
mech: ``PLAIN'' with 15 bytes of data
SASL (severity
