本文详细介绍了服务器间使用SASL(Simple Authentication and Security Layer)进行验证的过程,并阐述了服务器回拨机制的具体实现。包括初始化、响应、认证挑战与响应等关键步骤,以及一种不安全的验证方式——服务器回拨的详细过程。
服务器到服务器SASL验证示例:
<stream:stream
xmlns='jabber:server'
xmlns:stream='http://etherx.jabber.org/streams'
to='example.com'
version='1.0'>
Step 2: Server2 responds with a stream tag sent to Server1:
<stream:stream
xmlns='jabber:server'
xmlns:stream='http://etherx.jabber.org/streams'
from='example.com'
id='s2s_234'
version='1.0'>
<stream:features>
<mechanismsxmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
<mechanism>DIGEST-MD5</mechanism>
<mechanism>KERBEROS_V4</mechanism>
</mechanisms>
</stream:features>
<authxmlns='urn:ietf:params:xml:ns:xmpp-sasl'
mechanism='DIGEST-MD5'/>
Step 5: Server2 sends a BASE64 encoded challenge to Server1:
<challengexmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
cmVhbG09InNvbWVyZWFsbSIsbm9uY2U9Ik9BNk1HOXRFUUdtMmhoIixxb3A9
ImF1dGgiLGNoYXJzZXQ9dXRmLTgsYWxnb3JpdGhtPW1kNS1zZXNz
</challenge>
realm="somerealm",nonce="OA6MG9tEQGm2hh","
qop="auth",charset=utf-8,algorithm=md5-sess
<failurexmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
<incorrect-encoding/>
</failure>
</stream:stream>
<responsexmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
dXNlcm5hbWU9ImV4YW1wbGUub3JnIixyZWFsbT0ic29tZXJlYWxtIixub25j
ZT0iT0E2TUc5dEVRR20yaGgiLGNub25jZT0iT0E2TUhYaDZWcVRyUmsiLG5j
PTAwMDAwMDAxLHFvcD1hdXRoLGRpZ2VzdC11cmk9InhtcHAvZXhhbXBsZS5v
cmciLHJlc3BvbnNlPWQzODhkYWQ5MGQ0YmJkNzYwYTE1MjMyMWYyMTQzYWY3
LGNoYXJzZXQ9dXRmLTgK
</response>
username="example.org",realm="somerealm","
nonce="OA6MG9tEQGm2hh",cnonce="OA6MHXh6VqTrRk","
nc=00000001,qop=auth,digest-uri="xmpp/example.org","
response=d388dad90d4bbd760a152321f2143af7,charset=utf-8
<challengexmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
cnNwYXV0aD1lYTQwZjYwMzM1YzQyN2I1NTI3Yjg0ZGJhYmNkZmZmZAo=
</challenge>
rspauth=ea40f60335c427b5527b84dbabcdfffd
<failurexmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
<invalid-authzid/>
</failure>
</stream:stream>
Step 8: Server1 responds to the challenge:
<responsexmlns='urn:ietf:params:xml:ns:xmpp-sasl'/>
<abortxmlns='urn:ietf:params:xml:ns:xmpp-sasl'/>
<successxmlns='urn:ietf:params:xml:ns:xmpp-sasl'/>
<failurexmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
<aborted/>
</failure>
</stream:stream>
Step 10: Server1 initiates a new stream to Server2:
<stream:stream
xmlns='jabber:server'
xmlns:stream='http://etherx.jabber.org/streams'
to='example.com'
version='1.0'>
<stream:stream
xmlns='jabber:server'
xmlns:stream='http://etherx.jabber.org/streams'
from='example.com'
id='s2s_345'
version='1.0'>
<stream:features/>
<stream:stream
xmlns:stream='http://etherx.jabber.org/streams'
xmlns='jabber:server'
xmlns:db='jabber:server:dialback'>
Step 1: Server1 initiates stream to Server2:
<stream:streamxmlns='jabber:server'xmlns:stream='http://etherx.jabber.org/streams'to='example.com'version='1.0'>
Step 2: Server2 responds with a stream tag sent to Server1:
<stream:streamxmlns='jabber:server'xmlns:stream='http://etherx.jabber.org/streams'from='example.com'id='s2s_234'version='1.0'>
Step 3: Server2 informs Server1 of available authentication mechanisms:
<stream:features><mechanismsxmlns='urn:ietf:params:xml:ns:xmpp-sasl'><mechanism>DIGEST-MD5</mechanism><mechanism>KERBEROS_V4</mechanism></mechanisms></stream:features>
Step 4: Server1 selects an authentication mechanism:
<authxmlns='urn:ietf:params:xml:ns:xmpp-sasl'mechanism='DIGEST-MD5'/>
<challengexmlns='urn:ietf:params:xml:ns:xmpp-sasl'>cmVhbG09InNvbWVyZWFsbSIsbm9uY2U9Ik9BNk1HOXRFUUdtMmhoIixxb3A9ImF1dGgiLGNoYXJzZXQ9dXRmLTgsYWxnb3JpdGhtPW1kNS1zZXNz</challenge>
The decoded challenge is:
realm="somerealm",nonce="OA6MG9tEQGm2hh","qop="auth",charset=utf-8,algorithm=md5-sess
Step 5 (alt): Server2 returns error to Server1:
<failurexmlns='urn:ietf:params:xml:ns:xmpp-sasl'><incorrect-encoding/></failure></stream:stream>
Step 6: Server1 sends a BASE64 encoded response to the challenge:
<responsexmlns='urn:ietf:params:xml:ns:xmpp-sasl'>dXNlcm5hbWU9ImV4YW1wbGUub3JnIixyZWFsbT0ic29tZXJlYWxtIixub25jZT0iT0E2TUc5dEVRR20yaGgiLGNub25jZT0iT0E2TUhYaDZWcVRyUmsiLG5jPTAwMDAwMDAxLHFvcD1hdXRoLGRpZ2VzdC11cmk9InhtcHAvZXhhbXBsZS5vcmciLHJlc3BvbnNlPWQzODhkYWQ5MGQ0YmJkNzYwYTE1MjMyMWYyMTQzYWY3LGNoYXJzZXQ9dXRmLTgK</response>
The decoded response is:
username="example.org",realm="somerealm","nonce="OA6MG9tEQGm2hh",cnonce="OA6MHXh6VqTrRk","nc=00000001,qop=auth,digest-uri="xmpp/example.org","response=d388dad90d4bbd760a152321f2143af7,charset=utf-8
Step 7: Server2 sends another BASE64 encoded challenge to Server1:
<challengexmlns='urn:ietf:params:xml:ns:xmpp-sasl'>cnNwYXV0aD1lYTQwZjYwMzM1YzQyN2I1NTI3Yjg0ZGJhYmNkZmZmZAo=</challenge>
The decoded challenge is:
rspauth=ea40f60335c427b5527b84dbabcdfffd
Step 7 (alt): Server2 returns error to Server1:
<failurexmlns='urn:ietf:params:xml:ns:xmpp-sasl'><invalid-authzid/></failure></stream:stream>
Step 8: Server1 responds to the challenge:
<responsexmlns='urn:ietf:params:xml:ns:xmpp-sasl'/>
Step 8 (alt): Server1 aborts negotiation:
<abortxmlns='urn:ietf:params:xml:ns:xmpp-sasl'/>
Step 9: Server2 informs Server1 of successful authentication:
<successxmlns='urn:ietf:params:xml:ns:xmpp-sasl'/>
Step 9 (alt): Server2 informs Server1 of failed authentication:
<failurexmlns='urn:ietf:params:xml:ns:xmpp-sasl'><aborted/></failure></stream:stream>
Step 10: Server1 initiates a new stream to Server2:
<stream:streamxmlns='jabber:server'xmlns:stream='http://etherx.jabber.org/streams'to='example.com'version='1.0'>
Step 11: Server2 responds by sending a stream header to Server1 along with any additional features (or an empty features element):
<stream:streamxmlns='jabber:server'xmlns:stream='http://etherx.jabber.org/streams'from='example.com'id='s2s_345'version='1.0'><stream:features/>
服务器回拨
这是一种单向的,不安全的验证方式。
具体过程:
1, 服务器A发送流头部给服务器B:
<stream:streamxmlns:stream='http://etherx.jabber.org/streams'xmlns='jabber:server'xmlns:db='jabber:server:dialback'>
2,服务器B回送一个应答给A,包含了此次交互的ID:
<stream:stream
xmlns:stream='http://etherx.jabber.org/streams'
xmlns='jabber:server'
xmlns:db='jabber:server:dialback'
id='457F9224A0...'>
3,服务器A发送一个回拨key给B
<db:result
to='Receiving Server'
from='Originating Server'>
98AF014EDC0...
</db:result>
4,服务器B同验证服务器C建立TCP连接,向C发送流头部:
<stream:stream
xmlns:stream='http://etherx.jabber.org/streams'
xmlns='jabber:server'
xmlns:db='jabber:server:dialback'>
5,C回送应答:
<stream:stream
xmlns:stream='http://etherx.jabber.org/streams'
xmlns='jabber:server'
xmlns:db='jabber:server:dialback'
id='1251A342B...'>
6,B发送验证key的请求
<db:verify
from='Receiving Server'
to='Originating Server'
id='457F9224A0...'>
98AF014EDC0...
</db:verify>
7,验证服务器验证key是否合法:
<db:verify
from='Originating Server'
to='Receiving Server'
type='valid'
id='457F9224A0...'/>
or
<db:verify
from='Originating Server'
to='Receiving Server'
type='invalid'
id='457F9224A0...'/>
8,B通知A结果:
<db:result
from='Receiving Server'
to='Originating Server'
type='valid'/>
上面这个示例只是验证了从A到B的流是否合法,但不能保证从B到A是否合法,因此需要在反方向再进行一次验证。
扫一扫
1050
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
