[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Kerberos/GSSAPI issues

To: Russ Allbery <rra@stanford.edu>
Subject: Re: Kerberos/GSSAPI issues
From: Brian Candler <B.Candler@pobox.com>
Date: Thu, 30 Dec 2010 12:14:04 +0000
Cc: openldap-technical@openldap.org
Content-disposition: inline
Dkim-signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=date:from:to :cc:subject:message-id:references:mime-version:content-type :in-reply-to; s=sasl; bh=luXWU5SeoMQOYr8nsYIOWseeEqc=; b=MWzAGrW ghGp2H2h58r3wyH21wp7BpkPt/Z4mCoaG2EXaFGVa4cWn/vhNYMVzcww4br/p/pm CNcEUy8t3QaPhpeZCFF2mXs+q1sbupTV8oEW8MI5h+Hnzppi6cQaB4GC3R0UyWP2 pJ5Byh3DxaCTnU619bWssLskOPsheXYb7xmo=
Domainkey-signature: a=rsa-sha1; c=nofws; d=pobox.com; h=date:from:to:cc :subject:message-id:references:mime-version:content-type :in-reply-to; q=dns; s=sasl; b=AVNKAbLM1MVBd9qjuussdRiwbMxewtIik 5Mp3ZtlL7GZvkwi0YfOhv4g4l0my6WPcuIuIvaBa6KGjEHxxJODWjg3bq5jN++uE cZmdwiaeOLXoYJOt53ejE+V1ug9P0GyDI40nILUFmjC0uybeMHnI6ELEQ1IUED3t KazeIvxO4M=
In-reply-to: <87aajojv87.fsf@windlord.stanford.edu>
References: <20101228092656.GA4437@talktalkplc.com> <4D1A6498.1000402@symas.com> <20101229174005.GC4113@talktalkplc.com> <87aajojv87.fsf@windlord.stanford.edu>
User-agent: Mutt/1.5.20 (2009-06-14)

On Wed, Dec 29, 2010 at 10:21:28AM -0800, Russ Allbery wrote:
> > My understanding is that modern kerberos apps should just try all keys in
> > the keytab until they find one which decrypts the ticket.
> > http://mailman.mit.edu/pipermail/kerberos/2010-December/016797.html
> 
> Cyrus SASL doesn't.  This is a long-standing bug in Cyrus SASL that we
> patch locally at Stanford.  (It's a simple one-line patch.)  It really
> needs to be fixed upstream in Cyrus SASL.

Have you got the one-line patch? Is there a ticket open for it upstream?

> > But in any case, shouldn't it use olcSaslRealm in preference to the
> > krb5.conf default realm? (I'd expect the default realm to be used if
> > olcSaslRealm were empty though)
> 
> I don't believe there's any way to pass that information down into Cyrus
> SASL, so there isn't anything OpenLDAP can do.  Cyrus SASL forces using
> the hostname unless you patch it to not be stupid.

I don't mind SASL using the hostname (I'd expect olcSaslHost to take
preference, but haven't tested this (*)).  It bothers me a bit that it
ignores the olcSaslRealm and just picks the default realm instead.

What bothers me greatly is that when a client connects the Kerberos realm is
lost, and olcSaslRealm is being pasted in unconditionally for authorization. 
This to me seems like a huge security hole: superuser@FOREIGN.REALM is
currently treated the same as superuser@LOCAL.REALM in ACLs.

Regards,

Brian.

(*) But testing does suggest that clients canonicalise the hostname.  I have
pointed them to ldap.ws.nsrc.org, but they get a ticket for noc.ws.nsrc.org
(which is the name which the reverse DNS points to)

References:
- Kerberos/GSSAPI issues
  - From: Brian Candler <B.Candler@pobox.com>
- Re: Kerberos/GSSAPI issues
  - From: Howard Chu <hyc@symas.com>
- Re: Kerberos/GSSAPI issues
  - From: Brian Candler <B.Candler@pobox.com>
- Re: Kerberos/GSSAPI issues
  - From: Russ Allbery <rra@stanford.edu>

Prev by Date: Is attribute options supported?
Next by Date: Re: Is attribute options supported?
Index(es):
- Chronological
- Thread