If qop='auth-conf', the client must accept one of the server's cipher algorithms. Currently, it does not send back a cipher, so the server sends back an error message and closes the connection.

I tried hardcoding cipher='3des', but I ran into errors encoding/decoding messages and did not know how to proceed from there.

I noticed that there is a comment that DIGEST-MD5 is "incomplete and untested". Can you please complete this module?

Hi,

I'm trying out I get the following error:

File "/opt/pyvirtualenv/py_3.4_dj_1.9/lib/python3.4/site-packages/puresasl/client.py", line 15, in wrapped
return f(self, args, *kwargs)
File "/opt/pyvirtualenv/py_3.4_dj_1.9/lib/python3.4/site-packages/puresasl/client.py", line 141, in process
return self._chosen_mech.process(challenge)
File "/opt/pyvirtualenv/py_3.4_dj_1.9/lib/python3.4/site-packages/puresasl/mechanisms.py", line 407, in process
setattr(self, key, challenge_dict[key])
TypeError: attribute name must be string, not 'bytes'

Python 3.5 (conda environment), pure-sasl 0.4.0 on RHEL 6.6.

Traceback (most recent call last):
  File "/data/data01/dev/edl/infra/mstr/landing/envs/ml_recommender/lib/python3.5/site-packages/impala/sasl_compat.py", line 8, in error_catcher
    yield
  File "/data/data01/dev/edl/infra/mstr/landing/envs/ml_recommender/lib/python3.5/site-packages/impala/sasl_compat.py", line 30, in encode
    return True, self.unwrap(incoming)
  File "/data/data01/dev/edl/infra/mstr/landing/envs/ml_recommender/lib/python3.5/site-packages/puresasl/client.py", line 15, in wrapped
    return f(self, *args, **kwargs)
  File "/data/data01/dev/edl/infra/mstr/landing/envs/ml_recommender/lib/python3.5/site-packages/puresasl/client.py", line 157, in unwrap
    return self._chosen_mech.unwrap(incoming)
  File "/data/data01/dev/edl/infra/mstr/landing/envs/ml_recommender/lib/python3.5/site-packages/puresasl/mechanisms.py", line 515, in unwrap
    kerberos.authGSSClientUnwrap(self.context, incoming)
TypeError: argument 2 must be str, not bytes

Using sasl (Cyrus-SASL bindings) instead of pure-sasl, impyla is able to connect.

Dear thobbs,

In first, I wish you a Happy New Year!

Can you add supports of:

• SCRAM-SHA-1
• SCRAM-SHA-1-PLUS
• SCRAM-SHA-256
• SCRAM-SHA-256-PLUS
• SCRAM-SHA-512
• SCRAM-SHA-512-PLUS
• SCRAM-SHA3-512
• SCRAM-SHA3-512-PLUS

You can add too:

• SCRAM-SHA-224
• SCRAM-SHA-224-PLUS
• SCRAM-SHA-384
• SCRAM-SHA-384-PLUS

"When using the SASL SCRAM mechanism, the SCRAM-SHA-256-PLUS variant SHOULD be preferred over the SCRAM-SHA-256 variant, and SHA-256 variants [RFC7677] SHOULD be preferred over SHA-1 variants [RFC5802]".

• SCRAM-SHA-1(-PLUS):
  -- https://tools.ietf.org/html/rfc5802
  -- https://tools.ietf.org/html/rfc6120

• SCRAM-SHA-256(-PLUS):
  -- https://tools.ietf.org/html/rfc7677 since 2015-11-02
  -- https://tools.ietf.org/html/rfc8600 since 2019-06-21: https://mailarchive.ietf.org/arch/msg/ietf-announce/suJMmeMhuAOmGn_PJYgX5Vm8lNA

• SCRAM-SHA-512(-PLUS):
  -- https://tools.ietf.org/html/draft-melnikov-scram-sha-512

• SCRAM-SHA3-512(-PLUS):
  -- https://tools.ietf.org/html/draft-melnikov-scram-sha3-512

• SCRAM BIS: Salted Challenge Response Authentication Mechanism (SCRAM) SASL and GSS-API Mechanisms:
  -- https://tools.ietf.org/html/draft-melnikov-scram-bis

https://xmpp.org/extensions/inbox/hash-recommendations.html

-PLUS variants:

• RFC5056: On the Use of Channel Bindings to Secure Channels: https://tools.ietf.org/html/rfc5056
• RFC5929: Channel Bindings for TLS: https://tools.ietf.org/html/rfc5929
• Channel-Binding Types: https://www.iana.org/assignments/channel-binding-types/channel-binding-types.xhtml
• RFC 9266: Channel Bindings for TLS 1.3: https://tools.ietf.org/html/rfc9266

IMAP:

• RFC9051: Internet Message Access Protocol (IMAP) - Version 4rev2: https://tools.ietf.org/html/rfc9051

LDAP:

• RFC5803: Lightweight Directory Access Protocol (LDAP) Schema for Storing Salted: Challenge Response Authentication Mechanism (SCRAM) Secrets: https://tools.ietf.org/html/rfc5803

HTTP:

• RFC7804: Salted Challenge Response HTTP Authentication Mechanism: https://tools.ietf.org/html/rfc7804

2FA:

• Extensions to Salted Challenge Response (SCRAM) for 2 factor authentication: https://datatracker.ietf.org/doc/html/draft-ietf-kitten-scram-2fa

IANA:

• Simple Authentication and Security Layer (SASL) Mechanisms: https://www.iana.org/assignments/sasl-mechanisms/sasl-mechanisms.xhtml

Linked to:

• scram-sasl/info#1

Using the GSSAPI mechanism when the kerberos package is not installed results in:

puresasl.SASLError: None of the mechanisms listed meet all required properties

It took me a long time to figure out that I was simply missing the kerberos package.

If I call client.wrap(HUGE_BUFFER) or client.unwrap(HUGE_BUFFER), where HUGE_BUFFER > max_buffer, it should raise an exception. The caller should probably call wrap() or unwrap() in a loop based on client._chosen_mech.max_buffer.

Test requirement on mock is capped to <= 1.0.1

Is that still needed ? Tests are passing with mock 3.0.5.
It was already discussed here : https://github.com/thobbs/pure-sasl/pull/12/files#r51483902

On Windows, kerberos-sspi seems like a drop-in replacement for pykerberos.

Will you plan to support this feature? Thanks.

Is it difficult to add support for SASL on the server side? It is close AFAIK.

I'd like to have it for HTTP SASL, which is an Internet Draft we're working on. We're already doing it for Java and Apache modules, but I'd like to also demo WSGI middleware using it.

(I know I'm welcome to submit a PR. Frankly, for me this would be one level too deep to get into. So I hope this is a fair request to a project that already has most of the expertise.)

Hi!

I am currently working on snakebite-py3, a Hadoop HDFS client written in Python. The software is currently maintained by Internet Archive: https://github.com/internetarchive/snakebite-py3

I sent a pull request a while ago to allow kerberos authentication and encryption with GSS-API using puresasl, since python-sasl (a wrapper around cyrus sasl) seemed not working and nobody really committed any code in ages to the repository. The code works great, I love this library :)

I am now trying to add the final block of code, that requires DIGEST-MD5 and auth-conf. It seems that this is not supported anymore by this library, but I'd love to know if it was possible to add it. I don't have any experience with SASL but I can offer help in case needed (code, tests, etc..).

Why would somebody need DIGEST-MD5 + auth-conf instead of using AES or similar? In Hadoop's case, this jira explains it really well: https://issues.apache.org/jira/browse/HDFS-6606

Basically I'd need DIGEST-MD5 encryption only to exchange keys and move to AES, a sort of extra crypto handshake.

I realize that this request seems a bit strange, but I am trying anyway, it seems to be a good use case and a lot of people would benefit from it.

Thanks in advance!

There is no kerberos support when trying to use this on windows. I have a local fix enabling winkerberos i would like to contribute.

Has anyone tried the GSSAPI mechanism on windows?
Is there any plans for this?

Thanks

I downloaded pure-sasl in my virtual environment today and mechanisms.py does not have the changes implemented in this commit that aimed to fix compatibility with winkerberos < 0.8.

My virtual environment's python version, pip version, and pure-sasl version screenshot below

Screenshot from the mechanisms.py pasted below. Line 21 still uses old code.

It is doing some magic, the winkerberos library has different capitalisation on the 'N' in name. this just makes it compatible.

Originally posted by @ryan-pip in #30 (comment)

This capitalization issue in winkerberos has been fixed. This line needs to be removed as currently it produces the following error:
AttributeError: module 'winkerberos' has no attribute 'authGSSClientUsername'

Using:
winkerberos=0.8.0
pure-sasl=0.6.2