5 This document defines a small plain-text protocol used to perform
6 authentication and negotiate a security layer before the flow of D-BUS
7 messages begins. This protocol is intended to be a profile of the
8 Simple Authentication and Session Layer [SASL].
10 This document is loosely based on the POP3 SASL profile by John Myers.
12 Conventions Used in this Document
15 In examples, "C:" and "S:" indicate lines sent by the client and
18 The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT", and "MAY"
19 in this document are to be interpreted as defined in "Key words for
20 use in RFCs to Indicate Requirement Levels" [RFC 2119]
25 The protocol is a line-based protocol, where each line ends with
26 \r\n. Each line begins with an all-caps ASCII command name containing
27 only the character range [A-Z], a space, then any arguments for the
28 command, then the \r\n ending the line. The protocol is
29 case-sensitive. All bytes must be in the ASCII character set.
31 Commands from the client to the server are as follows:
33 AUTH [mechanism] [initial-response]
39 DATA <data in base 64 encoding>
41 ERROR [human-readable error explanation]
43 From server to client are as follows:
45 REJECTED <space-separated list of mechanism names>
49 DATA <data in base 64 encoding>
53 Special credentials-passing nul byte
56 Immediately after connecting to the server, the client must send a
57 single nul byte. This byte may be accompanied by credentials
58 information on some operating systems that use sendmsg() with
59 SCM_CREDS or SCM_CREDENTIALS to pass credentials over UNIX domain
60 sockets. However, the nul byte MUST be sent even on other kinds of
61 socket, and even on operating systems that do not require a byte to be
62 sent in order to transmit credentials. The text protocol described in
63 this document begins after the single nul byte. If the first byte
64 received from the client is not a nul byte, the server may disconnect
67 A nul byte in any context other than the initial byte is an error;
68 the protocol is ASCII-only.
70 The credentials sent along with the nul byte may be used with the
71 SASL mechanism EXTERNAL.
76 If an AUTH command has no arguments, it is a request to list
77 available mechanisms. The server SHOULD respond with a REJECTED
78 command listing the mechanisms it understands.
80 If an AUTH command specifies a mechanism, and the server supports
81 said mechanism, the server SHOULD begin exchanging SASL
82 challenge-response data with the client using DATA commands.
84 If the server does not support the mechanism given in the AUTH
85 command, it SHOULD send a REJECTED command listing the mechanisms
88 If the [initial-response] argument is provided, it is intended for
89 use with mechanisms that have no initial challenge (or an empty
90 initial challenge), as if it were the argument to an initial DATA
91 command. If the selected mechanism has an initial challenge, the
92 server should reject authentication by sending REJECTED.
94 If authentication succeeds after exchanging DATA commands,
95 an OK command should be sent to the client.
97 The first octet received by the client after the \r\n of the OK
98 command MUST be the first octet of the authenticated/encrypted
99 stream of D-BUS messages.
101 The first octet received by the server after the \r\n of the BEGIN
102 command from the client MUST be the first octet of the
103 authenticated/encrypted stream of D-BUS messages.
108 At any time up to sending the BEGIN command, the client may send a
109 CANCEL command. On receiving the CANCEL command, the server MUST
110 send a REJECTED command and abort the current authentication
116 The DATA command may come from either client or server, and simply
117 contains a base64-encoded block of data to be interpreted
118 according to the SASL mechanism in use.
123 The BEGIN command acknowledges that the client has received an
124 OK command from the server, and that the stream of messages
127 The first octet received by the server after the \r\n of the BEGIN
128 command from the client MUST be the first octet of the
129 authenticated/encrypted stream of D-BUS messages.
134 The REJECTED command indicates that the current authentication
135 exchange has failed, and further exchange of DATA is inappropriate.
136 The client would normally try another mechanism, or try providing
137 different responses to challenges.
139 Optionally, the REJECTED command has a space-separated list of
140 available auth mechanisms as arguments. If a server ever provides
141 a list of supported mechanisms, it MUST provide the same list
142 each time it sends a REJECTED message. Clients are free to
143 ignore all lists received after the first.
148 The OK command indicates that the client has been authenticated,
149 and that further communication will be a stream of D-BUS messages
150 (optionally encrypted, as negotiated) rather than this protocol.
152 The first octet received by the client after the \r\n of the OK
153 command MUST be the first octet of the authenticated/encrypted
154 stream of D-BUS messages.
156 The client MUST respond to the OK command by sending a BEGIN
157 command, followed by its stream of messages, or by disconnecting.
158 The server MUST NOT accept additional commands using this protocol
159 after the OK command has been sent.
164 The ERROR command indicates that either server or client did not
165 know a command, does not accept the given command in the current
166 context, or did not understand the arguments to the command. This
167 allows the protocol to be extended; a client or server can send a
168 command present or permitted only in new protocol versions, and if
169 an ERROR is received instead of an appropriate response, fall back
170 to using some other technique.
172 If an ERROR is sent, the server or client MUST continue as if the
173 command causing the ERROR had never been received.
175 Example of successful magic cookie authentication
178 (MAGIC_COOKIE is a made up mechanism)
180 C: AUTH MAGIC_COOKIE BsAY3g4gBNo=
184 Example of finding out mechanisms then picking one
188 S: REJECTED KERBEROS_V4 SKEY
189 C: AUTH SKEY bW9yZ2Fu
190 S: DATA OTUgUWE1ODMwOA==
191 C: DATA Rk9VUiBNQU5OIFNPT04gRklSIFZBUlkgTUFTSA==
195 Example of client sends unknown command then falls back to regular auth
200 C: AUTH MAGIC_COOKIE BsAY3g4gBNo=
204 Example of server doesn't support initial auth mechanism
207 C: AUTH MAGIC_COOKIE BsAY3g4gBNo=
208 S: REJECTED KERBEROS_V4 SKEY
209 C: AUTH SKEY bW9yZ2Fu
210 S: DATA OTUgUWE1ODMwOA==
211 C: DATA Rk9VUiBNQU5OIFNPT04gRklSIFZBUlkgTUFTSA==
215 Example of wrong password or the like followed by successful retry
218 C: AUTH MAGIC_COOKIE BsAY3g4gBNo=
219 S: REJECTED KERBEROS_V4 SKEY
220 C: AUTH SKEY bW9yZ2Fu
221 S: DATA OTUgUWE1ODMwOA==
222 C: DATA Rk9VUiBNQU5OIFNPT04gRklSIFZBUlkgTUFTSA==
224 C: AUTH SKEY bW9yZ2Fu
225 S: DATA OTUgUWE1ODMwOA==
226 C: DATA Rk9VUiBNQU5OIFNPT04gRklSIFZBUlkgTUFTSA==
230 Example of skey canceled and restarted
233 C: AUTH MAGIC_COOKIE BsAY3g4gBNo=
234 S: REJECTED KERBEROS_V4 SKEY
235 C: AUTH SKEY bW9yZ2Fu
236 S: DATA OTUgUWE1ODMwOA==
239 C: AUTH SKEY bW9yZ2Fu
240 S: DATA OTUgUWE1ODMwOA==
241 C: DATA Rk9VUiBNQU5OIFNPT04gRklSIFZBUlkgTUFTSA==