[20057] in Kerberos_V5_Development
Re: Current semantics for channel-bindings in GSSAPI
daemon@ATHENA.MIT.EDU (Stefan Metzmacher)
Tue Mar 10 11:24:08 2020
To: Isaac Boukris <iboukris@gmail.com>
From: Stefan Metzmacher <metze@samba.org>
Message-ID: <73d92c4b-ac14-b6ed-40ca-3c2ddc89dcc9@samba.org>
Date: Tue, 10 Mar 2020 16:23:35 +0100
MIME-Version: 1.0
In-Reply-To: <CAC-fF8SOMeOMXubqK-27jhS4fALu-jM4=nue466hHLwmHOGvYQ@mail.gmail.com>
Cc: "krbdev@mit.edu Dev List" <krbdev@mit.edu>, Simo Sorce <simo@redhat.com>,
Nico Williams <nico@cryptonector.com>
Content-Type: multipart/mixed; boundary="===============6494221192434177503=="
Errors-To: krbdev-bounces@mit.edu
--===============6494221192434177503==
Content-Type: multipart/signed; micalg=pgp-sha512;
protocol="application/pgp-signature";
boundary="3upaIsFmpuL5CnNHNySGNypBrnVvVa0t9"
--3upaIsFmpuL5CnNHNySGNypBrnVvVa0t9
Content-Type: multipart/mixed; boundary="gat8vhwXvW6cBCPO51CBD0X8PGUvd8YGQ";
protected-headers="v1"
From: Stefan Metzmacher <metze@samba.org>
To: Isaac Boukris <iboukris@gmail.com>
Cc: Greg Hudson <ghudson@mit.edu>, "krbdev@mit.edu Dev List"
<krbdev@mit.edu>, Simo Sorce <simo@redhat.com>,
Nico Williams <nico@cryptonector.com>, rharwood@redhat.com,
Andrew Bartlett <abartlet@samba.org>
Message-ID: <73d92c4b-ac14-b6ed-40ca-3c2ddc89dcc9@samba.org>
Subject: Re: Current semantics for channel-bindings in GSSAPI
References: <CAC-fF8QdP9vRMMfxsxHL-APvsTRwdktbeiR0HrqjxYAE_To4Xg@mail.gmail.com>
<18cdd00f-f939-3d4b-1ef8-588af3a097fe@mit.edu>
<25a3f366-b53b-76ec-24db-4761494f093f@samba.org>
<CAC-fF8T6y2FKHS9fO62kVKKuB22VTEdjLhDZA+=UnVWiaqM56g@mail.gmail.com>
<CAC-fF8SOMeOMXubqK-27jhS4fALu-jM4=nue466hHLwmHOGvYQ@mail.gmail.com>
In-Reply-To: <CAC-fF8SOMeOMXubqK-27jhS4fALu-jM4=nue466hHLwmHOGvYQ@mail.gmail.com>
--gat8vhwXvW6cBCPO51CBD0X8PGUvd8YGQ
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
Hi Issac,
> As discussed last week, we want the following changes.
>=20
> - MIT should match Heimdal behavior and only error if client bindings
> are not all zeros.
> - Both Heimdal/MIT should return channel-bound flag if the bindings did=
match.
> - Both Heimdal/MIT should take advantage of KERB_AP_OPTIONS_CBT if
> present if authenticator, in which case if the server passed bindings
> they must match.
> - Both Heimdal/MIT should provide a conf option to asset the client
> system supports channel-bindings, causing KERB_AP_OPTIONS_CBT to be
> sent in any ap-req.
>=20
> I submitted wip PR #1047 upstream MIT based on the above.
>=20
> @metze, would that satisfy samba's requirements?
I looked briefly and the core changes look good,
but (as always :-) I think krb5.conf option alone are unflexible
and I'd really like to get rid of autogenerated krb5.conf files and
global exporting "KRB5_CONFIG". So APIs to turn this on from the
application would be great.
metze
--gat8vhwXvW6cBCPO51CBD0X8PGUvd8YGQ--
--3upaIsFmpuL5CnNHNySGNypBrnVvVa0t9
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEfFbGo3YXpfgryIw9DbX1YShpvVYFAl5nsPcACgkQDbX1YShp
vVZSVhAAwBsplzPw7T69sdBinHqy8s1m2Dic0fGyVfR7qjsbUsQZCOftx2TGyI2Q
grohttlhuR0Y+8VnpbnurrGsRJhZsish90b2POa47QXDdLcB5BCHbbcGtOlfQyEu
vpRhjMxYNdLGI8p43IyCHGP03z8bDGi4OXu7EqtiCOOp/yp/Jfzqn6VgPkVYkNdf
VbxcDJhL4+1CCki3L8z3iOJE81toby12Ze6iaTzLvlsrWHulisZZImp2XLoY8U6/
SHHj+7e/1HUprE3zRVN8D9AqNvkfbyTMNbiV+FDKleSnGhNK/oJvcVdrup2yWC66
2dSxHAhLWrvSeHAhoxtOBo1Ch65VmYuLDvq3ynUkqZsg0Gu2WJcWuZ4j6aQwMXh7
Kbt57IdDjase3Y8jaa3AeE25LC7w6E/N/WpipPAhDiNzbXE6h8nV0KDFTMiQqfHo
/9QAEkkN4ny9Fbd1YqH+K9k8Wh2J4yJp8erBePlhmnLZkny8TP+6hx1SqxCqJDNW
Us7E0Ob3cl7z/A3W5rE/wFPQrmYgh2/y6fUQ9IGyPxfg50FGY2D4tZDwP4eWJaaW
W82OUTG3NC3N2DIdscCgd6rwwODb2EdgzxxjOcenlUE1pIOCOJ3N85n3iW64o408
zXAhVVVlv9XYTqeI05Yq8eoiCV9AIWwWmoHhR1YHvPkn7fzvAZA=
=+Oxy
-----END PGP SIGNATURE-----
--3upaIsFmpuL5CnNHNySGNypBrnVvVa0t9--
--===============6494221192434177503==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
--===============6494221192434177503==--
