[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Disable GSSAPI confidentiality

On Fri, Dec 12, 2008 at 1:51 PM, Philip Guenther
<guenther+ldapsoft@sendmail.com> wrote:
> On Fri, 12 Dec 2008, Dan White wrote:
>> Jeremiah Martell wrote:
>> > Is there a way, when calling "ldap_sasl_interactive_bind_s", to tell
>> > it that when it does LDAP+GSSAPI authentication, only use GSSAPI for
>> > authentication, and not confidentiality?
>> >
>> > In other words, just use GSSAPI to encrypt the authentication part,
>> > but not all subsequent searches, etc.
>> You can use SASL security properties to accomplish that.
> ...
>> dwhite@zek:~$ ldapwhoami -Y GSSAPI -h ldap.example.net -O maxssf=0
>> SASL/GSSAPI authentication started
>> SASL username: dwhite@EXAMPLE.NET
>> SASL SSF: 0
>> dn:uid=dwhite@example.net,ou=people,dc=example,dc=net
> Hmm, how about integrity checking?  If you want/need to protect your
> connection from substitution attacks or TCP hijacking then you should
> specify a maxssf of one.  The GSSAPI layer would then still carry a crypto
> hash of the data without encrypting it.
> Philip Guenther

Interesting. I wanted to do this because Microsoft servers complain
about redundant encryption.

If your GSSAPI provides confidentiality, and you're trying to use TLS,
they barf out this error:
Cannot start kerberos signing/sealing when using TLS/SSL

I just verified that if I set maxssf=0 like Dan said, it makes GSSAPI
not do confidentiality, and then when I use
TLS with GSSAPI, I don't get that error anymore.

I'll experiment with setting it to 1, but perhaps I'm already
protected by using TLS from the things you mentioned?

- Jeremiah Martell