[20061] in Kerberos_V5_Development
Re: Current semantics for channel-bindings in GSSAPI
daemon@ATHENA.MIT.EDU (Stefan Metzmacher)
Tue Mar 10 12:25:32 2020
To: Isaac Boukris <iboukris@gmail.com>
From: Stefan Metzmacher <metze@samba.org>
Message-ID: <5a606707-7d91-938c-ba4e-c238643575fb@samba.org>
Date: Tue, 10 Mar 2020 17:24:56 +0100
MIME-Version: 1.0
In-Reply-To: <CAC-fF8QXeMc4UhR2s+ttaYzYL07vTTteO1SkE6AuDiBjbZSpAA@mail.gmail.com>
Cc: "krbdev@mit.edu Dev List" <krbdev@mit.edu>, Simo Sorce <simo@redhat.com>,
Nico Williams <nico@cryptonector.com>
Content-Type: multipart/mixed; boundary="===============8172312746599143811=="
Errors-To: krbdev-bounces@mit.edu
--===============8172312746599143811==
Content-Type: multipart/signed; micalg=pgp-sha512;
protocol="application/pgp-signature";
boundary="wZ7knnAkfVS7GppSPQG54U23pkUDfE6TO"
--wZ7knnAkfVS7GppSPQG54U23pkUDfE6TO
Content-Type: multipart/mixed; boundary="COPxroxGNgDneMtndjRL9UqeIxnfXZuBC";
protected-headers="v1"
From: Stefan Metzmacher <metze@samba.org>
To: Isaac Boukris <iboukris@gmail.com>
Cc: Greg Hudson <ghudson@mit.edu>, "krbdev@mit.edu Dev List"
<krbdev@mit.edu>, Simo Sorce <simo@redhat.com>,
Nico Williams <nico@cryptonector.com>, rharwood@redhat.com,
Andrew Bartlett <abartlet@samba.org>
Message-ID: <5a606707-7d91-938c-ba4e-c238643575fb@samba.org>
Subject: Re: Current semantics for channel-bindings in GSSAPI
References: <CAC-fF8QdP9vRMMfxsxHL-APvsTRwdktbeiR0HrqjxYAE_To4Xg@mail.gmail.com>
<18cdd00f-f939-3d4b-1ef8-588af3a097fe@mit.edu>
<25a3f366-b53b-76ec-24db-4761494f093f@samba.org>
<CAC-fF8T6y2FKHS9fO62kVKKuB22VTEdjLhDZA+=UnVWiaqM56g@mail.gmail.com>
<CAC-fF8SOMeOMXubqK-27jhS4fALu-jM4=nue466hHLwmHOGvYQ@mail.gmail.com>
<73d92c4b-ac14-b6ed-40ca-3c2ddc89dcc9@samba.org>
<CAC-fF8RMQCFbLSZ=dBqpOuPSxGtpP=CBAYo_pA--M90pqwcDsw@mail.gmail.com>
<a020fdcd-d8fc-f08d-4059-bdcb87407454@samba.org>
<CAC-fF8QXeMc4UhR2s+ttaYzYL07vTTteO1SkE6AuDiBjbZSpAA@mail.gmail.com>
In-Reply-To: <CAC-fF8QXeMc4UhR2s+ttaYzYL07vTTteO1SkE6AuDiBjbZSpAA@mail.gmail.com>
--COPxroxGNgDneMtndjRL9UqeIxnfXZuBC
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
Am 10.03.20 um 17:18 schrieb Isaac Boukris:
> On Tue, Mar 10, 2020 at 4:54 PM Stefan Metzmacher <metze@samba.org> wro=
te:
>>
>> Am 10.03.20 um 16:34 schrieb Isaac Boukris:
>>> On Tue, Mar 10, 2020 at 4:23 PM Stefan Metzmacher <metze@samba.org> w=
rote:
>>>>
>>>> Hi Issac,
>>>>
>>>>> As discussed last week, we want the following changes.
>>>>>
>>>>> - MIT should match Heimdal behavior and only error if client bindin=
gs
>>>>> are not all zeros.
>>>>> - Both Heimdal/MIT should return channel-bound flag if the bindings=
did match.
>>>>> - Both Heimdal/MIT should take advantage of KERB_AP_OPTIONS_CBT if
>>>>> present if authenticator, in which case if the server passed bindin=
gs
>>>>> they must match.
>>>>> - Both Heimdal/MIT should provide a conf option to asset the client=
>>>>> system supports channel-bindings, causing KERB_AP_OPTIONS_CBT to be=
>>>>> sent in any ap-req.
>>>>>
>>>>> I submitted wip PR #1047 upstream MIT based on the above.
>>>>>
>>>>> @metze, would that satisfy samba's requirements?
>>>>
>>>> I looked briefly and the core changes look good,
>>>> but (as always :-) I think krb5.conf option alone are unflexible
>>>> and I'd really like to get rid of autogenerated krb5.conf files and
>>>> global exporting "KRB5_CONFIG". So APIs to turn this on from the
>>>> application would be great.
>>>
>>> Ok, so we'd need a new cred-option to override it by the application.=
>>
>> If we can agree on a way to implement that:-)
>>
>> Using gss_set_cred_option() would be the simplest solution,
>> but it got rejected for GSS_KRB5_CRED_NO_TRANSIT_CHECK_X.
>> Passing cred_store to gss_acquire_cred_from() would also work
>> and I'm not sure if/how gss_create_sec_context() +
>> gss_set_sec_context_option() would work.
>>
>> gss_set_sec_context_option() would be the most flexible way
>> and may be useful for more things I plan to implement.
>=20
> Honestly I'd say we can start with the krb5.conf option, I think it
> has value anyway as it allows to protect applications system-wide
> without the need to update them.
Yes, a global option should be there!
> Then eventually, use cred/context
> options to override it, as we decide.
>
> btw, as mentioned "off-list" Windows seem to skip channel-bindings
> check if the client omits the checksum altogether, even in level=3D2. I=
> think it is a bug, and we shouldn't return channel-bound flag it that
> case.
I think your code is fine as it only sets cb_match =3D true if we did the=
memcmp and the 16 bytes match exactly.
metze
--COPxroxGNgDneMtndjRL9UqeIxnfXZuBC--
--wZ7knnAkfVS7GppSPQG54U23pkUDfE6TO
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEfFbGo3YXpfgryIw9DbX1YShpvVYFAl5nv1gACgkQDbX1YShp
vVbBjg/+MFV0DFVzwEipnqZc6pSKcSkKiFtdrLVHZf3HX55lCY5OFrGq9aEGtNgP
UWj7Ba0LbXcPUyT9bk2Y+NvXXTEMwiSuxqKakzLJSSeLif6OQ7JS7klpcxzd51Qt
PahT2+CBYYb9rgqRU3DEuuusH1FCwRD8BJ+rzRYMroSd4sQHdhBOmi6SmmlEZdlU
dyGrsPLA7MQta2oJO+7ZOeD8YCqBfNj+RTUhuxQ9496amxXasm8t208eYMTPIXxB
yhNMh8olGgCXZYBbnT+OeLiZJma/LP8fiJz19hR/TDWHoipkgw83F19XMc2GFJHG
0fJY+6jyAe8F6vtIlW1hDl6Qsj2g/cgmGcy1Fy0PUwwkCKWFkj6c/okJWPA6PnCM
WrF+piHOS5nKRF0LlXkVZpbU9Ysl/Lt8YSIc9bemN5U/hZl5fVclA10SXg4cihgL
ZQsJ1VRKunswwmDQjf3stf1M/AW8yiG87mhKR7ayODdh3YGwIF9KRWjzzkouw+q2
5d2iHVJxp+MnGrP4E/0jLtKqpPE0d120hTQfyKi32gnvDcjv7v2PXpBh5YpGXNK8
z7hjN4lEZkpodtYRAUbaq3YaI85Viy7Qs+7cVqrqZ+Re1ybCy4uRZMdQS04VvJnp
pJtcLV1LlKQauU5uNBOwl6zis9WRFr3knSCPRwsJ0RxaEA3uLZE=
=5Cin
-----END PGP SIGNATURE-----
--wZ7knnAkfVS7GppSPQG54U23pkUDfE6TO--
--===============8172312746599143811==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
--===============8172312746599143811==--
