This is an old revision of the document!


LSMCD Security Using SASL

SASL (Simple Application and Security Layer) is the method used to secure data in LSMCD and Memcached. There are various subtle differences in configuration between the two. This section describes the configuration you need to perform to allow LSMCD to operate in a SASL environment.

Enabling SASL is database wide. Once SASL is enabled, all non-SASL databases will need to be regenerated. You will also need to regenerate your databases (the files stored in the Cached.ShmDir parameter of your node.conf file) if you wish to remove SASL.

You can also secure data by user using SASL. See https://www.litespeedtech.com/support/wiki/doku.php/litespeed_wiki:lsmcd:sasl_secure_user_data for details.

As for memcached, if you enable SASL, text telnet commands will no longer work as there is no security mechanism in telnet.

There are a number steps to configuring LSMCD to operate with SASL:

  • Enable SASL in your lsmcd.conf file.
  • Create and configure a user database.
  • Configure any additional settings needed for PHP.

Enable SASL in Your Configuration File

This is discussed in LSCMD Configuration, which also discusses overall configuration.

In particular you need to specify in your node.conf file:

CACHED.USESASL=TRUE

Note that once SASL is enabled, access to all memcached functions are going to fail with an error written to the lsmcd log (defaults to /tmp/lsmcd.log). Also when SASL is enabled, ASCII functions (telnet and other ASCII functions) will fail.

Create and Configure a User Database

A user database is required. The recommended method uses saslauthd, which is provided as part of Cyrus SASL to create a sasldb managed database. In prior versions there was only the MEMCACHED_SASL_PWDB environment variable method.

No matter the method you choose, you become the security administrator for these accounts.

Option #1 (Recommended): sasldb Managed Database

A sasldb database is typically stored in /etc/sasldb2 and is managed using the saslpasswd2 program. You must be root to manage users with saslpasswd2.

To create a user named user1 enter saslpasswd2 user1. You will be prompted for the password twice for that user. That information will then need to be coded in your memcached program. Details on the use of saslpasswd2 can be found in numerous places on the internet including gsp.com.

Option #2: MEMCACHED_SASL_PWDB Environment Variable

If there is no MEMCACHED_SASL_PWDB defined, then the default SASL database is /etc/sasl/sasldb.conf and will be used if it exists. To specify the location of the SASL database, export the MEMCACHED_SASL_PWDB environment variable, which is active when LSMCD is started.

If, for example, you create a file named /etc/sasl/sasldb.conf you would need to export MEMCACHED_SASL_PWDB=/etc/sasl/sasldb.conf before starting LSMCD. It is considered good practice to have this file owned by the LSMCD user and readable by only that user (chmod 600).

Each line in your user database is a user name, a colon (:), and a password. For example if you had two users (user and sasluser) you might create a /etc/sasl/sasldb.conf with the following lines in it:

user:password
sasluser:saslpassword

You will also need to create a SASL Configuration File if you are using this method.

Create and Configure a SASL Configuration File

A SASL configuration file must be given one of the following names: /etc/sasl/memcached.conf, /tmp/memcached.conf or it may be saved to any file or location that you wish via the SASL_CONF_PATH environment variable. Note that this environment variable must be set in the system environment or in the environment where you started LSMCD (using lsmcdctrl). Regardless of its name or location the LSMCD user must have read permission to access your configuration file.

As of v1.2, there is only one parameter and value supported:

mech_list: PLAIN

Other SASL parameters can be specified in this file however, they are not supported by LSMCD and will generally be ignored.

Configure for PHP

The procedures for the Memcached extension to PHP are documented at http://php.net/manual/en/memcached.setup.phpphp.net. You know you have it right if phpinfo displays a Memcached section.

The following is a sample PHP script you could create (named memcached.php) to validate that LSMCD is correctly installed and configured to work with SASL. You'll need to place it in the HTML directory of your server and adjust the user/password and other settings for your environment.

Some notes for all programming environments:

  • You must instantiate an instance of the Memcached object (Memcache no longer works).
  • You must use the binary protocol.
  • You must make the call to set the SASL authentication information (user/password) before you add the server.
  • Once you add the server successfully, you can perform all standard Memcached operations (get, put, etc.).
<?php
$mem_var = new Memcached();
$mem_var->setSaslAuthData('user', 'password');
$mem_var->setOption(Memcached::OPT_BINARY_PROTOCOL, true);
$mem_var->setOption(Memcached::OPT_COMPRESSION, false);
$mem_var->addServer("127.0.0.1", 11211);
$response = $mem_var->get("SampleKey");
if ($response) {
 echo "get(SampleKey) => " . $response;
} else if ($mem_var->getResultCode() == Memcached::RES_NOTFOUND) {
 echo "Adding a key/value: SampleKey/SampleValue";
 $mem_var->set("SampleKey", "SampleValue") or 
 die("SampleKey Couldn't be Created: '( " . $mem_var->getResultMessage() . 
   " )' ");
} else die ("Error in get: " . $mem_var->getResultCode() . ": " . 
      $mem_var->getResultMessage());
?>

Start LiteSpeed and LSMCD and point your browser to the web page you created. If the user or password are incorrect you'll see a message like Error in get: 41: AUTHENTICATION FAILURE. However if you have it right you'll see the first time you access the page Adding a key/value: SampleKey/SampleValue and subsequent accesses will show get(SampleKey) ⇒ SampleValue.

If you do not use the $mem_var→setSaslAuthData('user', 'password'); line, then this example will work for non-SASL environments as well.

  • Admin
  • Last modified: 2018/06/25 14:01
  • by Robert Perper