[Date Prev][Date Next]
Re: Disable GSSAPI confidentiality
On Fri, Dec 12, 2008 at 1:51 PM, Philip Guenther
> On Fri, 12 Dec 2008, Dan White wrote:
>> Jeremiah Martell wrote:
>> > Is there a way, when calling "ldap_sasl_interactive_bind_s", to tell
>> > it that when it does LDAP+GSSAPI authentication, only use GSSAPI for
>> > authentication, and not confidentiality?
>> > In other words, just use GSSAPI to encrypt the authentication part,
>> > but not all subsequent searches, etc.
>> You can use SASL security properties to accomplish that.
>> dwhite@zek:~$ ldapwhoami -Y GSSAPI -h ldap.example.net -O maxssf=0
>> SASL/GSSAPI authentication started
>> SASL username: dwhite@EXAMPLE.NET
>> SASL SSF: 0
> Hmm, how about integrity checking? If you want/need to protect your
> connection from substitution attacks or TCP hijacking then you should
> specify a maxssf of one. The GSSAPI layer would then still carry a crypto
> hash of the data without encrypting it.
> Philip Guenther
Interesting. I wanted to do this because Microsoft servers complain
about redundant encryption.
If your GSSAPI provides confidentiality, and you're trying to use TLS,
they barf out this error:
Cannot start kerberos signing/sealing when using TLS/SSL
I just verified that if I set maxssf=0 like Dan said, it makes GSSAPI
not do confidentiality, and then when I use
TLS with GSSAPI, I don't get that error anymore.
I'll experiment with setting it to 1, but perhaps I'm already
protected by using TLS from the things you mentioned?
- Jeremiah Martell