Skip Menu |
 

From: Arlene Berry <aberry@likewise.com>
To: "krb5-bugs@mit.edu" <krb5-bugs@mit.edu>
Subject: krb5 and ldap signed traffic
Date: Sat, 23 Jul 2011 00:21:44 +0000
Download (untitled) / with headers
text/plain 1.5KiB
Microsoft has a GSS-SPNEGO sasl method for ldap. It looks at whether GSS_C_INTEG_FLAG and GSS_C_CONF_FLAG are requested in the AP_REQ to determine the message protection level. If you don't want all of your ldap traffic to be encrypted then you can't hardcode the flags in the AP_REQ.

Index: src/lib/gssapi/krb5/init_sec_context.c
===================================================================
--- src/lib/gssapi/krb5/init_sec_context.c (revision 25023)
+++ src/lib/gssapi/krb5/init_sec_context.c (working copy)
@@ -587,9 +587,9 @@
}

ctx->initiate = 1;
- ctx->gss_flags = (GSS_C_INTEG_FLAG | GSS_C_CONF_FLAG |
- GSS_C_TRANS_FLAG |
+ ctx->gss_flags = (GSS_C_TRANS_FLAG |
((req_flags) & (GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG |
+ GSS_C_INTEG_FLAG | GSS_C_CONF_FLAG |
GSS_C_SEQUENCE_FLAG | GSS_C_DELEG_FLAG |
GSS_C_DCE_STYLE | GSS_C_IDENTIFY_FLAG |
GSS_C_EXTENDED_ERROR_FLAG)));
Index: src/lib/gssapi/spnego/spnego_mech.c
===================================================================
--- src/lib/gssapi/spnego/spnego_mech.c (revision 25023)
+++ src/lib/gssapi/spnego/spnego_mech.c (working copy)
@@ -842,7 +842,7 @@
&sc->ctx_handle,
target_name,
sc->internal_mech,
- (req_flags | GSS_C_INTEG_FLAG),
+ req_flags,
time_req,
GSS_C_NO_CHANNEL_BINDINGS,
mechtok_in,
There doesn't appear to be a spec for this SASL mechanism, but Simo
found a reference informally explaining it:

https://groups.yahoo.com/neo/groups/cat-ietf/conversations/topics/575

As described in the second message, this non-standard SASL mechanism
omits the usual wrap exchange after the GSS context is established,
As a result, it does not support authzids, does not negotiate a
maximum message size, and implicitly negotiates a security layer
based on the GSS flags asserted by the client. There does not appear
to be any way for the server to disclaim support for a security
layer, so if the client asserts GSS flags the server doesn't want to
support, the server has no alternative but to reject the connection.

I think this is sufficient justification for supporting Heimdal's
interface to control the flags asserted by the krb5 mech.
https://github.com/krb5/krb5/pull/283 is the pull request for doing
this.
From: ghudson@mit.edu
Subject: git commit
Download (untitled) / with headers
text/plain 1.7KiB

Implement GSS_KRB5_CRED_NO_CI_FLAGS_X cred option

Microsoft implements GSS-SPNEGO, a non-standard SASL mechanism which
omits the usual wrap exchange after the GSS context is established.
As a result, it does not support authzids, does not negotiate a
maximum message size, and implicitly negotiates a security layer based
on the GSS flags asserted by the client. If the client asserts GSS
flags corresponding to a security layer the server can't support, the
server has no recourse except to reject the connection.

Implement Heimdal's GSS_KRB5_CRED_NO_CI_FLAGS_X cred option. When set
on an initiator cred, do not assert the confidentiality and integrity
flags in initiator tokens unless they were requested by the caller.

Our SPNEGO mechanism always requests integrity from the underlying
mechanism, which limits the utility of this option. That issue will
be addressed in the future; even if it isn't, Samba currently uses its
own SPNEGO implementation, so can benefit from the cred option in
krb5.

[ghudson@mit.edu: expand GSS_KRB5_CRED_NO_CI_FLAGS_X comment, edit
commit message, use a boolean cred field]

https://github.com/krb5/krb5/commit/7e6965ae33338216650384ca559d49e90312087a
Author: Andreas Schneider <asn@samba.org>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: 7e6965ae33338216650384ca559d49e90312087a
Branch: master
src/lib/gssapi/krb5/acquire_cred.c | 1 +
src/lib/gssapi/krb5/gssapiP_krb5.h | 1 +
src/lib/gssapi/krb5/gssapi_krb5.c | 24 ++++++++++++++++++++++++
src/lib/gssapi/krb5/gssapi_krb5.h | 10 ++++++++++
src/lib/gssapi/krb5/init_sec_context.c | 14 ++++++++------
src/lib/gssapi/libgssapi_krb5.exports | 1 +
src/lib/gssapi32.def | 2 ++
7 files changed, 47 insertions(+), 6 deletions(-)
From: ghudson@mit.edu
Subject: git commit

Add tests for GSS_KRB5_CRED_NO_CI_FLAGS_X

https://github.com/krb5/krb5/commit/c1887eda950dfd84696f4f9bab9098f0bf1fd3c0
Author: Greg Hudson <ghudson@mit.edu>
Commit: c1887eda950dfd84696f4f9bab9098f0bf1fd3c0
Branch: master
.gitignore | 1 +
src/tests/gssapi/Makefile.in | 44 ++++++++-------
src/tests/gssapi/t_ciflags.c | 122 ++++++++++++++++++++++++++++++++++++++++++
src/tests/gssapi/t_gssapi.py | 3 +
4 files changed, 150 insertions(+), 20 deletions(-)
From: ghudson@mit.edu
Subject: git commit

Implement GSS_KRB5_CRED_NO_CI_FLAGS_X for SPNEGO

In the SPNEGO mechanism, if we see the GSS_KRB5_CRED_NO_CI_FLAGS_X
option, do not explicitly ask for integrity flag from underlying
mechanisms. Adjust t_ciflags.c to match the new behavior, and add a
SPNEGO test using a normal initiator cred.

[ghudson@mit.edu: adjust style; fix tests here instead of in a
subsequent commit; clarify commit message]

https://github.com/krb5/krb5/commit/cf39ed349976908626cad3e05e17788f8334bce9
Author: Andreas Schneider <asn@samba.org>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: cf39ed349976908626cad3e05e17788f8334bce9
Branch: master
src/lib/gssapi/spnego/gssapiP_spnego.h | 1 +
src/lib/gssapi/spnego/spnego_mech.c | 25 ++++++++++++++++++++++---
src/tests/gssapi/t_ciflags.c | 10 ++++------
3 files changed, 27 insertions(+), 9 deletions(-)