This chapter includes information about the Simple Authentication and Security Layer (SASL).SASL (Overview) SASL (Reference) SASLoverview /usr/lib/libsasl.so libraryoverview new featuresSASL The Simple Authentication and Security Layer (SASL) is a framework that provides authentication and optional security services to network protocols. An application calls the SASL library, /usr/lib/libsasl.so, which provides a glue layer between the application and the various SASL mechanisms. The mechanisms are used in the authentication process and in providing optional security services. The version of SASL delivered with the Solaris 10 release is derived from the Cyrus SASL with a few changes.SASL provides the following services:Loading of any plug-ins Determining the necessary security options from the application to aid in the choice of a security mechanism Listing of plug-ins that are available to the application Choosing the best mechanism from a list of available mechanisms for a particular authentication attempt Routing the authentication data between the application and the chosen mechanism Providing information about the SASL negotiation back to the application The following section provides information about the implementation of SASL for the Solaris 10 release.SASLplug-ins pluginsSASL and SASL plug-ins provide support for security mechanisms, user-canonicalization, and auxiliary property retrieval. By default, the dynamically loaded 32-bit plug-ins are installed in /usr/lib/sasl, and the 64-bit plug-ins are installed in /usr/lib/sasl/$ISA. The following security mechanism plug-ins are provided in the Solaris 10 release:crammd5.so.1 plug-inSASL and crammd5.so.1CRAM-MD5, which supports authentication only, no authorization digestmd5.so.1 plug-inSASL and digestmd5.so.1DIGEST-MD5, which supports authentication, integrity, and privacy, as well as authorization gssapi.so.1 plug-inSASL and gssapi.so.1GSSAPI, which supports authentication, integrity, and privacy, as well as authorization. The GSSAPI security mechanism requires a functioning Kerberos infrastructure. plain.so.1 plug-inSASL and plain.so.1PLAIN, which supports authentication and authorization. INTERNAL plug-inSASL andEXTERNAL security mechanism plug-inSASL andIn addition, the EXTERNAL security mechanism plug-in and the INTERNAL user canonicalization plug-ins are built into libsasl.so.1. The EXTERNAL mechanism supports authentication and authorization. The mechanism supports integrity and privacy if the external security source provides it. The INTERNAL plug-in adds the realm name if necessary to the username.The Solaris 10 release is not supplying any auxprop plug-ins at this time. For the CRAM-MD5 and DIGEST-MD5 mechanism plug-ins to be fully operational on the server side, the user must provide an auxprop plug-in to retrieve clear text passwords. The PLAIN plug-in requires additional support to verify the password. The support for password verification can be one of the following: a callback to the server application, an auxprop plug-in, saslauthd, or pwcheck. The salauthd and pwcheck daemons are not provided in the Solaris releases. For better interoperability, restrict server applications to those mechanisms that are fully operational by using the mech_list SASL option. SASLenvironment variable By default, the client authentication name is set to getenv("LOGNAME"). This variable can be reset by the client or by the plug-in. SASLoptions The behavior of libsasl and the plug-ins can be modified on the server side by using options that can be set in the /etc/sasl/app.conf file. The variable app is the server-defined name for the application. The documentation for the server app should specify the application name.The following options are supported in the Solaris 10 release:auto_transition optionSASL and auto_transitionAutomatically transitions the user to other mechanisms when the user does a successful plain text authentication. auxprop_login optionSASL and auxprop_loginLists the name of auxiliary property plug-ins to use. canon_user_plugin optionSASL and canon_user_pluginSelects the canon_user plug-in to use. mech_list optionSASL and mech_listLists the mechanisms that are allowed to be used by the server application. pwcheck_method optionSASL and pwcheck_methodLists the mechanisms used to verify passwords. Currently, auxprop is the only allowed value. reauth_timeout optionSASL and reauth_timeoutSets the length of time, in minutes, that authentication information is cached for a fast reauthentication. This option is used by the DIGEST-MD5 plug-in. Setting this option to 0 disables reauthentication. The following options are not supported in the Solaris 10 release:plugin_list optionSASL and plugin_listLists available mechanisms. Not used because the option changes the behavior of the dynamic loading of plugins. saslauthd_path optionSASL and saslauthd_pathDefines the location of the saslauthd door, which is used for communicating with the saslauthd daemon. The saslauthd daemon is not included in the Solaris 10 release. So, this option is also not included. keytab optionSASL and keytabDefines the location of the keytab file used by the GSSAPI plug-in. Use the KRB5_KTNAME environment variable instead to set the default keytab location. The following options are options not found in Cyrus SASL. However, they have been added for the Solaris 10 release:use_authid optionSASL and use_authidAcquire the client credentials rather than use the default credentials when creating the GSS client security context. By default, the default client Kerberos identity is used. log_level optionSASL and log_levelSets the desired level of logging for a server.