Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
If running memcached in a mostly trusted network; such as within a cloud or a corporate internal cloud, you might want to restrict access to the service.
SASL is not implemented as end-to-end encryption. While this can facilitate restricting access to the daemon, it does not hide communications and isn't suitable for using over the internet.
In order to deploy memcached with SASL, you'll need two things:
- A memcached server with SASL support (version 1.4.3 or greater built with
- A client that supports SASL
- The server side has to support the authentication mechanism the client is using,
some clients only support
plainwhile an OS may not provide a library/package that supports
plain, at least not by default.
- The server side has to support the authentication mechanism the client is using, some clients only support
For the most part, you just do the normal SASL admin stuff.
# Create a user for memcached. saslpasswd2 -a memcached -c cacheuser
In order to enable SASL support in the server you must use the
-S flag does a few things things:
- Enable all of the SASL commands.
- Require binary protocol only.
- Require authentication to have been successful before commands may be issued on a connection.
SASL how to FAQ
Q.) How can I check if the memcached server I have is built with SASL support?
- A.) You can see if the command line help lists the option:
-S, --enable-sasl turn on Sasl authentication
- A.) You can run the server in verbose mode, for example:
> memcached -S -vvvv Reading configuration from: <...memcached.conf> Initialized SASL.
- A.) On Linux you can check if it links against a SASL library, for example:
> ldd `which memcached` | grep -i sasl libsasl2.so.3 => /lib64/libsasl2.so.3
Q.) The configure option
--enable-sasl-pwdb is not working
Q.) Plain auth is not working, why not?
- A.) Does running memcached with the
-vvvvoption provide any useful messages?
- A.) Check you have the SASL lib that implements it installed, for example
/usr/lib64/sasl2/libplain.soprovided by the RPM
- A.) Check the password file is owned by and only readable by the user running memcached.
- A.) Check that the username the client is using matches that used in the password file,
note that sometimes the client hostname is postfixed to the username with an @, so
Read more about memcached's SASL auth protocol. https://github.com/memcached/memcached/wiki/ReleaseNotes145#sasl_pwdb-for-more-simple-auth-deployments