Skip Menu |
 

From krb5-bugs-incoming-bounces@PCH.mit.edu Fri Dec 11 04:20:52 2009
Return-Path: <krb5-bugs-incoming-bounces@PCH.mit.edu>
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90])
by krbdev.mit.edu (Postfix) with ESMTP id 0C43ECCA06;
Fri, 11 Dec 2009 04:20:52 +0000 (UTC)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id nBB4KpSA020970;
Thu, 10 Dec 2009 23:20:51 -0500
Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU
[18.7.21.83])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id nBAKqKYn024748
for <krb5-bugs-incoming@PCH.mit.edu>; Thu, 10 Dec 2009 15:52:20 -0500
Received: from dmz-mailsec-scanner-7.mit.edu (DMZ-MAILSEC-SCANNER-7.MIT.EDU
[18.7.68.36])
by pacific-carrier-annex.mit.edu (8.13.6/8.9.2) with ESMTP id
nBAKiZRX004448
for <krb5-bugs@mit.edu>; Thu, 10 Dec 2009 15:52:33 -0500 (EST)
X-AuditID: 12074424-b7cfcae0000068a6-4f-4b215f636431
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28])
by (Symantec Brightmail Gateway) with SMTP id DA.E1.26790.36F512B4;
Thu, 10 Dec 2009 15:51:47 -0500 (EST)
Received: from int-mx03.intmail.prod.int.phx2.redhat.com
(int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.16])
by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id nBAKpkhH028603
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK)
for <krb5-bugs@mit.edu>; Thu, 10 Dec 2009 15:51:46 -0500
Received: from blade.bos.redhat.com (blade.bos.redhat.com [10.16.0.23])
by int-mx03.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
id nBAKpjSp021132
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
for <krb5-bugs@mit.edu>; Thu, 10 Dec 2009 15:51:46 -0500
Received: from blade.bos.redhat.com (localhost [127.0.0.1])
by blade.bos.redhat.com (8.14.3/8.14.3) with ESMTP id nBAKqBNj010077
for <krb5-bugs@mit.edu>; Thu, 10 Dec 2009 15:52:11 -0500
Received: (from nalin@localhost)
by blade.bos.redhat.com (8.14.3/8.14.3/Submit) id nBAKqBOt010076;
Thu, 10 Dec 2009 15:52:11 -0500
Date: Thu, 10 Dec 2009 15:52:11 -0500
Message-Id: <200912102052.nBAKqBOt010076@blade.bos.redhat.com>
To: krb5-bugs@mit.edu
Subject: gss_krb5_copy_ccache() doesn't work with spnego delegation
From: nalin@redhat.com
X-send-pr-version: 3.99
X-Scanned-By: MIMEDefang 2.42
X-Scanned-By: MIMEDefang 2.67 on 10.5.11.16
X-Brightmail-Tracker: AAAAAxIFCWQSBQvfEgUL4A==
X-Spam-Score: 0.55
X-Spam-Flag: NO
X-Mailman-Approved-At: Thu, 10 Dec 2009 23:20:45 -0500
X-BeenThere: krb5-bugs-incoming@mailman.mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
Reply-To: nalin@redhat.com
Sender: krb5-bugs-incoming-bounces@PCH.mit.edu
Errors-To: krb5-bugs-incoming-bounces@PCH.mit.edu


Show quoted text
>Submitter-Id: net
>Originator:
>Organization: Red Hat
>Confidential: no
>Synopsis: gss_krb5_copy_ccache() doesn't work with spnego delegation
>Severity: non-critical
>Priority: medium
>Category: krb5-libs
>Class: sw-bug
>Release: 1.7
>Environment:

System: Linux blade.bos.redhat.com 2.6.31.6-162.fc12.x86_64 #1 SMP Fri Dec 4 00:06:26 EST 2009 x86_64 x86_64 x86_64 GNU/Linux
Architecture: x86_64

Show quoted text
>Description:
We're seeing problems in mod_auth_kerb with firefox as its client, when
firefox is configured to delegate credentials and mod_auth_kerb is
configured to save them to disk. In these cases, mod_auth_kerb is
logging this error:

Cannot store delegated credential (gss_krb5_copy_ccache: An unsupported mechanism was requested (, Unknown error))

Firefox is careful to use spnego when it's attempting negotiate auth,
and other clients which aren't as careful (and which end up sending
Kerberos tokens) work as expected.

It looks like gss_krb5_copy_ccache() calls gssspi_set_cred_option()
with the spnego credential handle, and gssspi_set_cred_option() returns
GSS_S_BAD_MECH because the spnego mech doesn't provide a function
for it to use.

Show quoted text
>How-To-Repeat:
Configure a client which uses spnego (such as firefox) to delegate
credentials to a server which attempts to store delegated creds to
a Kerberos ccache, and attempt to authenticate to the service.

Show quoted text
>Fix:
This is one possible patch. It punts a set_cred_option() call down to
the mechanism for the first credential that we have whose mechanism
implements a set_cred_option() method. I'm not sure this is the
correct fix. If this is the right fix, we may also need to change
gssspi_set_cred_option() to keep going if it gets GSS_S_UNAVAILABLE
back from the mechanism-specific function, but then in cases where
there are multiple credentials, the mechanism of the first one might
not be the right one to use anyway.

Index: src/lib/gssapi/spnego/gssapiP_spnego.h
===================================================================
--- src/lib/gssapi/spnego/gssapiP_spnego.h (revision 23461)
+++ src/lib/gssapi/spnego/gssapiP_spnego.h (working copy)
@@ -352,6 +352,15 @@
);

OM_uint32
+spnego_gss_set_cred_option
+(
+ OM_uint32 *minor_status,
+ gss_cred_id_t cred_handle,
+ const gss_OID desired_object,
+ const gss_buffer_t value
+);
+
+OM_uint32
spnego_gss_set_sec_context_option
(
OM_uint32 *minor_status,
Index: src/lib/gssapi/spnego/spnego_mech.c
===================================================================
--- src/lib/gssapi/spnego/spnego_mech.c (revision 23461)
+++ src/lib/gssapi/spnego/spnego_mech.c (working copy)
@@ -250,7 +250,7 @@
spnego_gss_inquire_sec_context_by_oid, /* gss_inquire_sec_context_by_oid */
spnego_gss_inquire_cred_by_oid, /* gss_inquire_cred_by_oid */
spnego_gss_set_sec_context_option, /* gss_set_sec_context_option */
- NULL, /* gssspi_set_cred_option */
+ spnego_gss_set_cred_option, /* gssspi_set_cred_option */
NULL, /* gssspi_mech_invoke */
spnego_gss_wrap_aead,
spnego_gss_unwrap_aead,
@@ -2186,6 +2186,21 @@
}

OM_uint32
+spnego_gss_set_cred_option(
+ OM_uint32 *minor_status,
+ gss_cred_id_t cred_handle,
+ const gss_OID desired_object,
+ const gss_buffer_t value)
+{
+ OM_uint32 ret;
+ ret = gssspi_set_cred_option(minor_status,
+ cred_handle,
+ desired_object,
+ value);
+ return (ret);
+}
+
+OM_uint32
spnego_gss_set_sec_context_option(
OM_uint32 *minor_status,
gss_ctx_id_t *context_handle,
From: ghudson@mit.edu
Subject: SVN Commit

Add a set_cred_option handler for SPNEGO which forwards to the
underlying mechanism. Fixes SPNEGO credential delegation in 1.7 and
copying of SPNEGO initiator creds in both 1.7 and trunk. Patch
provided by nalin@redhat.com.


https://github.com/krb5/krb5/commit/2da47f934a4f57cbc7006b7ba130424fab9d00a6
Commit By: ghudson
Revision: 23482
Changed Files:
U trunk/src/lib/gssapi/spnego/gssapiP_spnego.h
U trunk/src/lib/gssapi/spnego/spnego_mech.c
From: tlyu@mit.edu
Subject: SVN Commit

pull up r23482 from trunk

------------------------------------------------------------------------
r23482 | ghudson | 2009-12-21 12:58:12 -0500 (Mon, 21 Dec 2009) | 9 lines

ticket: 6594
target_version: 1.7.1
tags: pullup

Add a set_cred_option handler for SPNEGO which forwards to the
underlying mechanism. Fixes SPNEGO credential delegation in 1.7 and
copying of SPNEGO initiator creds in both 1.7 and trunk. Patch
provided by nalin@redhat.com.

https://github.com/krb5/krb5/commit/4558e112d40096894ddce7cfd728159675625355
Commit By: tlyu
Revision: 23655
Changed Files:
U branches/krb5-1-7/src/lib/gssapi/spnego/gssapiP_spnego.h
U branches/krb5-1-7/src/lib/gssapi/spnego/spnego_mech.c