Re: ssf Security Question

[Quanah Gibson-Mount <quanah@symas.com>]

--On Friday, November 17, 2017 12:53 PM +1000 William Brown 
<wibrown@redhat.com> wrote:

Hi William,

> Hey mate,
>
> Just want to point out there are some security risks with ssf settings.
> I have documented these here:
>
> https://fy.blackhats.net.au/blog/html/2016/11/23/the_minssf_trap.html
>
> This is a flaw in the ldap protocol and can never be resolved without
> breaking the standard. The issue is that by the time the ssf check is
> done, you have already cleartexted sensitive material.

I think what you mean is: There is no way with startTLS to prevent possible 
leakage of credentials when using simple binds. ;)  Your blog certainly 
covers this concept well, but just wanted to be very clear on what the 
actual issue is. ;)  I've been rather unhappy about this for a long time as 
well, and have had a discussion going on the openldap-devel list about 
LDAPv4 and breaking backwards compatibility to fix this protocol bug.

Another note -- The reason GSSAPI shows up as an SSF of 56 is because it 
has been hard coded that way in cyrus-sasl.  Starting with cyrus-sasl 
version 2.1.27, which is near release, the actual SASL SSF is finally 
passed back into the caller.  It may be worthwhile noting this in your blog 
post. ;)

Warm regards,
Quanah


--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>