DIGEST-MD5 and auth-conf
Opened this issue · 1 comments
Hi!
I am currently working on snakebite-py3, a Hadoop HDFS client written in Python. The software is currently maintained by Internet Archive: https://github.com/internetarchive/snakebite-py3
I sent a pull request a while ago to allow kerberos authentication and encryption with GSS-API using puresasl, since python-sasl (a wrapper around cyrus sasl) seemed not working and nobody really committed any code in ages to the repository. The code works great, I love this library :)
I am now trying to add the final block of code, that requires DIGEST-MD5 and auth-conf. It seems that this is not supported anymore by this library, but I'd love to know if it was possible to add it. I don't have any experience with SASL but I can offer help in case needed (code, tests, etc..).
Why would somebody need DIGEST-MD5 + auth-conf instead of using AES or similar? In Hadoop's case, this jira explains it really well: https://issues.apache.org/jira/browse/HDFS-6606
Basically I'd need DIGEST-MD5 encryption only to exchange keys and move to AES, a sort of extra crypto handshake.
I realize that this request seems a bit strange, but I am trying anyway, it seems to be a good use case and a lot of people would benefit from it.
Thanks in advance!
Hi @elukey
You're correct that GSSAPI is currently puresasl's only mechanism that supports auth-int and auth-conf. It's feasible to add for DIGEST-MD5 -- RFC 2831 sec 2.3 - 2.4 would need to be implemented in puresasl.mechanisms.DigestMD5Mechanism.wrap() and .unwrap().
I'm unable to prioritize implementing this myself right now but I would be happy to merge a PR with a tested implementation.