So what is GS2? Briefly explained, it is a method that turns every GSS-API mechanism (with some exceptions) into a SASL mechanism automatically. The document describes a way to transform GSS-API mechanism OIDs (e.g., 1.2.840.113554.1.2.2) into SASL mechanism names (e.g., GS2-QLJHGJLWNPL) which takes care of uniquely identifying each mechanism in each framework. The content of each SASL message is exactly the same as the GSS-API context tokens, except (no rules without exceptions..) for the first message from the client to the server. The first message is modified to include a short prefix — called the “GS2 header” — before the first GSS-API context token. The shortest GS2 header is “n,,” which denotes that no channel binding is supported and no authorization identity is present. The GSS-API context token is modified to remove the ASN.1 blob that RFC 2743 section 3.1 requires to be present.

One important aspect of the GS2 design is that we make it easy for SASL mechanisms to become GSS-API mechanisms. To align a SASL mechanism to the GS2 framework, and thus to make it a GSS-API mechanism, a few steps are required. First, you need to assign an OID for the mechanism (if you don’t know how to do this, just contact me and I’ll assign an OID for you). Then you need to make sure the first message is compatible with GS2 in that it uses the GS2 header to signal channel binding and authorization identity. Finally, you need some discussion about what it means for your SASL mechanism to be used as a GSS-API mechanism. This may include discussions on naming types, meaning and use of GSS-API flags, whether delegated credentials are supported, how per-message tokens work.

The primary example SASL mechanism to make use of the GS2 design to become a GSS-API mechanism is SCRAM: also published yesterday as RFC 5802. SCRAM is an updated variant of the CRAM-MD5 and DIGEST-MD5 mechanisms (for example, it uses SHA-1 instead of MD5). Another recent example is the OpenID SASL mechanism.

My project GNU SASL supports both GS2 and SCRAM, see my earlier post on testing GS2-KRB5. I am not aware of any other project that implements GS2 yet, that is why my implementation is still marked as experimental.

• Wireless Home Network with OpenWRT and two routers
• Wireless Router with a 3G/UMTS/HSDPA dongle

wget -q ftp://alpha.gnu.org/gnu/gsasl/gsasl-1.5.0.tar.gz
tar xfz gsasl-1.5.0.tar.gz
cd gsasl-1.5.0
./configure --prefix=$HOME CFLAGS=-g
make all check install

Next you need to configure Kerberos on your system. If you have already have a configuration, make sure to take a backup of your configuration files. First let’s tell your machine about my interop Kerberos V5 realm by creating a file ~/Library/Preferences/edu.mit.Kerberos with the following content:

[libdefaults]
        default_realm = interop.josefsson.org

[realms]
        interop.josefsson.org = {
                kdc = interop.josefsson.org:88
        }

[domain_realm]
        interop.josefsson.org = interop.josefsson.org

Next get a ticket for a dummy user. Use the password ‘pass’ at the prompt:

espresso:~ jas$ kinit user@interop.josefsson.org
Please enter the password for user@interop.josefsson.org:
espresso:~ jas$ klist
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: user@interop.josefsson.org

Valid Starting     Expires            Service Principal
03/31/10 00:59:04  03/31/10 10:59:02  krbtgt/interop.josefsson.org@interop.josefsson.org
	renew until 01/01/70 01:00:00

klist: No Kerberos 4 tickets in credentials cache
espresso:~ jas$

Next connect to my test IMAP server using the command-line ‘gsasl’ tool (long lines cut for legibility):

espresso:~ jas$ ~/bin/gsasl interop.josefsson.org -auser
Trying `interop.josefsson.org'...
* OK IMAP4rev1
. CAPABILITY
* CAPABILITY ... AUTH=GS2-KRB5
. OK CAPABILITY Completed
. AUTHENTICATE GS2-KRB5
+
biwsAQBuggINMIICCa...
+ YHEGCSqGSIb3EgEC...

. OK AUTHENTICATE GS2-KRB5 authentication successful
Client authentication finished (server trusted)...
Enter application data (EOF to finish):
. list "" "*"
* LIST (\NoInferiors) NIL INBOX
* LIST (\NoInferiors) "/" .bashrc
* LIST (\NoInferiors) "/" .bash_logout
* LIST (\NoInferiors) "/" .profile
* LIST (\NoInferiors) "/" .bash_history
. OK LIST Completed
. logout
* BYE Session terminating.
. OK LOGOUT Completed
Session finished...
. LOGOUT
espresso:~ jas$

There! You have just completed a GS2-KRB5 authenticated session.

Of course, this works just as well on your favorite GNU/Linux system, but I thought I’d explain it for a non-GNU platform and GSS-API library to show that the code is quite portable despite its experimental status.

Btw, the server is running GNU Shishi as the Kerberos V5 KDC and GNU MailUtils as the IMAP server. The IMAP server is using GNU SASL in server mode.

Now back to coding.

As you can see, my script looks for functions mentioned in the latest POSIX specification as being thread unsafe. In the last POSIX release, they actually removed some older interfaces (e.g., gethostbyname) so the script also checks for thread-unsafe functions mentioned in one older POSIX specification.

Russel’s approach is to look for man pages of functions ending with _r and labeling the non-_r-function as a thread unsafe function. Russel’s and my approach are quite different, so I wanted to compare the results. There is potential for me to add more functions to search for. I still want to preserve my approach of explicitly listing known thread unsafe functions, though.

Running Russel’s command, I get a list of functions that my script catches that Russel’s doesn’t, and vice versa. For reference, the functions that my script catches that Russel’s doesn’t are:

basename catgets dbm_clearerr dbm_close dbm_delete dbm_error dbm_fetch dbm_firstkey dbm_nextkey dbm_open dbm_store dirname dlerror endgrent endpwent endutxent ftw gcvt getc_unlocked getchar_unlocked getenv getopt getutxent getutxid getutxline inet_ntoa l64a lgamma lgammaf lgammal localeconv nftw nl_langinfo putc_unlocked putchar_unlocked putenv pututxline setenv setgrent setpwent setutxent strsignal system unsetenv wcstombs wctomb

The list contains lgamma, lgammaf, and lgammal which are all excluded by Russel’s command. I don’t understand why — according to the man page, the functions uses a global variable for sign, which doesn’t seem thread safe. So it seems right to include them?

What’s more interesting (for me) is the list of functions that Russel’s script catches that my script currently doesn’t. Here is the list:

erand48 ether_aton ether_ntoa fgetgrent fgetpwent fgetspent getaliasbyname getaliasent gethostbyname2 getmntent getnetgrent getrpcbyname getrpcbynumber getrpcent getspent getspnam getutent getutid getutline initstate jrand48 lcong48 nrand48 qecvt qfcvt random seed48 setstate sgetspent srand48 srandom tmpnam

I started looking into each function. For erand48 there is a erand48_r function in glibc, and the former does indeed seem to use a global variable. However, as far as I can tell from the POSIX specification, erand48 should be thread safe. So I filed a glibc bug about it. The same concern may hold for jrand48, lcong48, nrand48, seed48, and srand48.

I noticed that initstate, random, setstate, and srandom are defined by latest POSIX, but not mentioned as a thread-unsafe functions. Possibly a bug in the POSIX specification?

I also noticed that I had missed to include tmpnam even though it is mentioned separately in the POSIX link.

The rest of the functions are not documented by POSIX, and presumably thread unsafe (although I didn’t read the man page or source code for each of them).

In the end, I ended up adding several new functions to check for. The latest script is always available from:

http://git.savannah.gnu.org/cgit/gsasl.git/tree/tests/threadsafety

So, finally, did the updated script catch any use of thread-unsafe functions in GNU SASL? Nope.

kniv:~# apt-get install gnutls-bin

The next step is to generate a private key:

kniv:/etc/exim4# certtool –generate-privkey –outfile exim.key
Generating a 2048 bit RSA private key…
kniv:/etc/exim4#

You can use --dsa if you want to use DSA instead of RSA, and can change the key size using --bits. The default is 2048-bit RSA which should be good enough for most people.

The next step is to generate a Certificate Request. CACert only looks at the Common Name field, so I left the rest empty. If you are using some commercial CA, you may need to enter something in the other fields.

kniv:/etc/exim4# certtool –generate-request –load-privkey exim.key –outfile exim.csr
Generating a PKCS #10 certificate request…
Country name (2 chars):
Organization name:
Organizational unit name:
Locality name:
State or province name:
Common name: kniv.josefsson.org
UID:
Enter a challenge password:
kniv:/etc/exim4#

Then login to CACert and click on ‘Server Certificates’ and then ‘New’. It will ask you to paste in the certificate request. Here you paste in the content of the exim.csr file. CACert will ask you to confirm the hostname. After that it will show a certificate in the resulting web page. Put the certificate in a file exim.crt like this:

kniv:/etc/exim4# cat>exim.crt
-----BEGIN CERTIFICATE-----
MIIEuDCCAqCgAwIBAgICegUwDQYJKoZIhvcNAQEFBQAwVDEUMBIGA1UEChMLQ0Fj
ZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZzEcMBoGA1UE
AxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDAeFw0wOTA0MTYxNTIyNDFaFw0xMTA0MTYx
NTIyNDFaMB0xGzAZBgNVBAMTEmtuaXYuam9zZWZzc29uLm9yZzCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAOCA/9NCraz72OG9c41w0aPenWZcdyiwI+OZ
2drOFHAQf0y9ihKZtZSkMJHHQBIdYwQPvaXuvzWJG6leaIeed4/Er/7BMvN4NqhU
r28qPv5HHCkGEKfUmmc5+sorYSCAgsEJU5SITIjpeSZqcL07hib+Mj0PUUkcVRZU
Jk7WHMaHFUZ1gvbYHEvk9C29CS/yq6SqAWdLwY8FRBHW9XvQa+zVp9j+ZecwS87i
NjzCMI13NAMEBanEc4LKuG2bN0EGGbceyd91YnCxQNDSiXrm9GvAfboidKmNmgAI
LJqAy3gXCCu0BXHDtJut8Z6mOz6gu5bFeLV3jARk+/CHVXypi7sCAwEAAaOByjCB
xzAMBgNVHRMBAf8EAjAAMDQGA1UdJQQtMCsGCCsGAQUFBwMCBggrBgEFBQcDAQYJ
YIZIAYb4QgQBBgorBgEEAYI3CgMDMAsGA1UdDwQEAwIFoDAzBggrBgEFBQcBAQQn
MCUwIwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLmNhY2VydC5vcmcvMD8GA1UdEQQ4
MDaCEmtuaXYuam9zZWZzc29uLm9yZ6AgBggrBgEFBQcIBaAUDBJrbml2Lmpvc2Vm
c3Nvbi5vcmcwDQYJKoZIhvcNAQEFBQADggIBABi/NjSTTFvw9XLWgfm7wnnOO9LP
U8yEgrQYCNIW6Zh7zH5w+pGzvBUSMOthMnmyfLacZSYjtOknlIG2kNDZEGaWznCN
WPMjNTctarR/g2qnD329o6orxPiK6Nmtcvcrj7BTecHDcExtE7CPe+msBN4OzIj1
zQGTMjge/Ofhft4Y2vYHOJMqsrQ2vj8xnUE7yGpw7IPDFTnyIyw55lSSbnAhACkp
eLrTcyYpxs7gTcaKqTOUEmUKCFqPsGPRGP3cgIMn3MHgqdq6b0XeF8E9+4iSuHBa
yPOxeWDLV4OEZZ0ygiQBgXyZQ+aRsuLo2BTSW0UEf+/J4ZbPiZlrUPouJ5tADceN
7DDhZu3q2RtCQLTNrMaUUY0uvUS41T8iox00tphi7DsOqq/Sku8vVR370NJJmWix
ChD74seszVlU+nPsrvFGN53+1wbgvtFSOSTRol7AvaPnx2TvC215GZ3wRb/WGCm4
r2em9QsI1T+7AjSHoFoaCWfFekHa1x+q7IJoAt/uMJBrvimC0ioTUMkyfrkcLWTr
mFObSwvq6zhV+MhgtYe/nEkb45eAyy5TP3qvmrjBAKad0qUpazmRbiWsb5VLK1hO
+FR6nD1aNDyukCSO0UH6bu9BzcbET5kkybkSlslDnrNfpn16EsIlrQgZ9RrF1Dr/
a6rS5JJX1gbewzse
-----END CERTIFICATE-----
kniv:/etc/exim4#

That’s it!

You need to finish the Exim4 configuration. Below ^D means to type ctrl-d.

kniv:/etc/exim4# chgrp Debian-exim exim.key
kniv:/etc/exim4# chmod g+r exim.key
kniv:/etc/exim4# cat>/etc/exim4/conf.d/main/000_local
MAIN_LOG_SELECTOR=+tls_cipher +tls_peerdn
MAIN_TLS_ENABLE=t
^D
kniv:/etc/exim4# update-exim4.conf
kniv:/etc/exim4# /etc/init.d/exim4 restart
Stopping MTA for restart: exim4_listener.
Restarting MTA: exim4.
kniv:/etc/exim4#

You can test the setup by using gnutls-cli. Again, ^D means ctrl-d.

kniv:/etc/exim4# gnutls-cli -s -p 25 kniv.josefsson.org
Resolving 'kniv.josefsson.org'...
Connecting to '195.238.76.189:25'...

- Simple Client Mode:

220 kniv ESMTP Exim 4.69 Thu, 16 Apr 2009 18:10:19 +0200
ehlo foo
250-kniv Hello kniv.josefsson.org [195.238.76.189]
250-SIZE 52428800
250-PIPELINING
250-STARTTLS
250 HELP
starttls
220 TLS go ahead
^D
*** Starting TLS handshake
- Successfully sent 0 certificate(s) to server.
- Ephemeral Diffie-Hellman parameters
 - Using prime: 2056 bits
 - Secret key: 2040 bits
 - Peer's public key: 2048 bits
- Certificate type: X.509
 - Got a certificate list of 1 certificates.

 - Certificate[0] info:
 # The hostname in the certificate matches 'kniv.josefsson.org'.
 # valid since: Thu Apr 16 17:22:41 CEST 2009
 # expires at: Sat Apr 16 17:22:41 CEST 2011
 # fingerprint: 21:C5:4E:60:02:02:93:9A:3B:B6:F0:D6:8E:6B:6C:B0
 # Subject's DN: CN=kniv.josefsson.org
 # Issuer's DN: O=CAcert Inc.,OU=http://www.CAcert.org,CN=CAcert Class 3 Root

- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
- Version: TLS1.0
- Key Exchange: DHE-RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL
quit
221 kniv closing connection
- Peer has closed the GNUTLS connection
kniv:/etc/exim4#

The writeup on how to do this is long, so I put it at a separate page:
http://josefsson.org/openwrt/dongle.html

However, getting it up and running with lighttpd on a modern debian lenny installation was not trivial, and I needed some help from #redmine (thanks stbuehler). After finally getting it up and running, I made a copy of the machine using rsync and rsnapshot, so I could re-create a working configuration if I get stuck, and then re-installed the virtual machine.

The notes below are the steps required to set up Redmine using Lighttpd and MySQL on a Debian Lenny. I’m posting this to help others searching for the error messages I got, and to help my own memory in case I need to re-install the server sometime.

I assume you have installed Debian Lenny, and have root access to it. You need to install some dependencies:

apt-get install mysql-server rails lighttpd
apt-get install librmagick-ruby
apt-get install subversion git-core

It is highly recommend to set a password on the MySQL root account, for example:

# /usr/bin/mysql -u root -D mysql -e “update user set password=password(’foobar’) where user=’root’”
# /usr/bin/mysql -u root -e “flush privileges”

There are official Redmine installation instructions, and these steps follow them but contains more details.

First, create a database for Redmine and set up a MySQL user, like this:

li37-61:~# mysql
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 31
Server version: 5.0.51a-15 (Debian)

Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the buffer.

mysql> create database redmine character set utf8;
Query OK, 1 row affected (0.00 sec)

mysql> GRANT SELECT,INSERT,UPDATE,DELETE,INDEX,ALTER ON redmine.* TO ‘rbuser’@'localhost’ IDENTIFIED BY ‘barfoo’;
Query OK, 0 rows affected (0.00 sec)

mysql>

Then download and install Redmine.

You could check out the code using SVN although I chosed to use a stable release. I created a new user for the redmine installation, to reduce root account usage.

adduser –disabled-password redmine
su redmine
wget http://rubyforge.org/frs/download.php/39477/redmine-0.7.3.tar.gz
tar xfz redmine-0.7.3.tar.gz
ln -s redmine-0.7.3 redmine

Modify the file redmine*/config/database.yml to read:

production:
  adapter: mysql
  database: redmine
  host: localhost
  username: rbuser
  password: barfoo
  encoding: utf8

You should now setup the database, however I got the following error at this point:

redmine@li37-61:~/redmine$ rake db:migrate RAILS_ENV=”production”
(in /home/redmine/redmine)
rake aborted!
No such file or directory - /tmp/mysql.sock

(See full trace by running task with –trace)
redmine@li37-61:~/redmine$

The problem is that you need the Ruby MySQL wrappers. This isn’t really clear from the error message. Install it using:

# apt-get install libmysql-ruby

Now re-run the database setup as the redmine user.

redmine@li37-61:~/redmine$ rake db:migrate RAILS_ENV=”production
…
redmine@li37-61:~/redmine$ rake redmine:load_default_data RAILS_ENV=”production”
(in /home/redmine/redmine-0.7.3)

Select language: bg, cs, da, de, en, es, fi, fr, he, hu, it, ja, ko, lt, nl, no, pl, pt, pt-br, ro, ru, sr, sv, th, uk, zh, zh-tw [en]
====================================
Default configuration data loaded.
redmine@li37-61:~/redmine$

At this point you should be able to test the Redmine installation using:

ruby script/server -e production

Shut it down before you continue with next steps.

Create a file called /etc/lighttpd/conf-available/20-redmine.conf and put the following in it. Change the filename and hostname as appropriate, but be sure the change commands later on.

server.modules   += ( "mod_fastcgi" )

$HTTP["host"] == "redmine.josefsson.org" {
  server.document-root = "/home/redmine/redmine/public/"
  fastcgi.server    = ( ".fcgi" =>
        ((
                "bin-path" => "/home/redmine/redmine/public/dispatch.fcgi",
                "socket" => "/tmp/ruby-rails.socket",
                "max-procs" => 5,
                "idle-timeout" => 20,
                "bin-environment" => (
                        "RAILS_ENV" => "production",
                        "RAILS_ROOT" => "/home/redmine/redmine"
                ),
        ))
  )
  magnet.attract-physical-path-to = ( "/home/redmine/cleanurl.lua" )
}

Enable the module using:

# lighttpd-enable-mod redmine

You will also need to create a FastCGI wrapper:

li37-61:/home/redmine/redmine/public# cp dispatch.fcgi.example dispatch.fcgi
li37-61:/home/redmine/redmine/public# chmod +x dispatch.fcgi

At this point, it can be useful to tail the various log files, I’m using a command like:

tail -F /var/log/lighttpd/access.log /var/log/lighttpd/error.log /home/redmine/redmine/log/production.log

Starting the lighttpd server at this point results in an error message:

li37-61:~# /etc/init.d/lighttpd restart
Stopping web server: lighttpd.
Starting web server: lighttpd.
li37-61:~#
2008-10-17 04:50:03: (mod_fastcgi.c.1047) the fastcgi-backend /home/redmine/redmine/public/dispatch.fcgi failed to start:
2008-10-17 04:50:03: (mod_fastcgi.c.1051) child exited with status 9 /home/redmine/redmine/public/dispatch.fcgi
2008-10-17 04:50:03: (mod_fastcgi.c.1054) If you’re trying to run PHP as a FastCGI backend, make sure you’re using the FastCGI-enabled version.
You can find out if it is the right one by executing ‘php -v’ and it should display ‘(cgi-fcgi)’ in the output, NOT ‘(cgi)’ NOR ‘(cli)’.
For more information, check http://trac.lighttpd.net/trac/wiki/Docs%3AModFastCGI#preparing-php-as-a-fastcgi-programIf this is PHP on Gentoo, add ‘fastcgi’ to the USE flags.
2008-10-17 04:50:03: (mod_fastcgi.c.1358) [ERROR]: spawning fcgi failed.
2008-10-17 04:50:03: (server.c.908) Configuration of plugins failed. Going down.

FastCGI modules are not installed by default, so you will need to install them:

li37-61:~# apt-get install libfcgi-ruby1.8

Restarting the server again, and accessing dispatch.fcgi using your browser, will result in errors like:

Status: 500 Internal Server Error
No route matches “/dispatch.fcgi” with {:method=>:get}

Solving this is the most complicated part, and I’m not sure whether there are better solutions. Here is what I did. First, install lighttpd’s mod-magnet:

# apt-get install lighttpd-mod-magnet
# lighttpd-enable-mod magnet

Then get a small script to invoke dispatch.fcgi properly:

cd /home/redmine
wget http://nordisch.org./cleanurl.lua

For reference, the contents of the script is:

-- little helper function
function file_exists(path, ftype)
  local attr = lighty.stat(path)
  return (attr and attr[ftype])
end

function check_path(path)
    local rv = path
    if (not file_exists(path, "is_file")) then
        rv = nil
        local html_file = path .. ".html"
        if (file_exists(html_file, "is_file")) then
            rv = html_file
        else
            -- handle directory indeces
            -- we first check if we have a dir and than look for an index.html
            local index_file = path .. "/index.html"
            if (file_exists(path,"is_dir") and file_exists(index_file, "is_file")) then
                rv = index_file
            end
        end
    end
    if rv then
        lighty.env["physical.path"] = rv
    end
    return rv
end

-- the magic 
if (not check_path(lighty.env["physical.path"])) then
    -- file still missing. pass it to the fastcgi backend
    lighty.env["uri.path"]          = "/dispatch.fcgi"
    lighty.env["physical.rel-path"] = lighty.env["uri.path"]
    lighty.env["request.orig-uri"]  = lighty.env["request.uri"]
    lighty.env["physical.path"]     = lighty.env["physical.doc-root"] .. lighty.env["physical.rel-path"]
end
-- fallthrough will put it back into the lighty request loop
-- that means we get the 304 handling for free. 
-- debugging code
-- print ("final file is " ..  lighty.env["physical.path"])

At this point, you should be able to restart lighttpd and access your server successfully!

If you get permission errors such as:

Status: 500 Internal Server Error
file /home/redmine/redmine-0.7.3/tmp/sessions//ruby_sess.c06b5f395568fd87 not readable

You need to re-run these commands:

li37-61:/home/redmine/redmine-0.7.3# chgrp -R www-data files log tmp
li37-61:/home/redmine/redmine-0.7.3# chmod -R 775 files log tmp

Happy hacking!