[20062] in Kerberos_V5_Development
Re: Current semantics for channel-bindings in GSSAPI
daemon@ATHENA.MIT.EDU (Stefan Metzmacher)
Tue Mar 10 12:55:46 2020
To: Isaac Boukris <iboukris@gmail.com>
From: Stefan Metzmacher <metze@samba.org>
Message-ID: <a020fdcd-d8fc-f08d-4059-bdcb87407454@samba.org>
Date: Tue, 10 Mar 2020 16:54:07 +0100
MIME-Version: 1.0
In-Reply-To: <CAC-fF8RMQCFbLSZ=dBqpOuPSxGtpP=CBAYo_pA--M90pqwcDsw@mail.gmail.com>
Cc: "krbdev@mit.edu Dev List" <krbdev@mit.edu>, Simo Sorce <simo@redhat.com>,
Nico Williams <nico@cryptonector.com>
Content-Type: multipart/mixed; boundary="===============3291235352845350701=="
Errors-To: krbdev-bounces@mit.edu
--===============3291235352845350701==
Content-Type: multipart/signed; micalg=pgp-sha512;
protocol="application/pgp-signature";
boundary="qhHN5yO3s5VQRFUwk0HrRQlx8R9WqB4r4"
--qhHN5yO3s5VQRFUwk0HrRQlx8R9WqB4r4
Content-Type: multipart/mixed; boundary="hVWuauPZAXmdRmGNqVWPltiWN1sPIU74O";
protected-headers="v1"
From: Stefan Metzmacher <metze@samba.org>
To: Isaac Boukris <iboukris@gmail.com>
Cc: Greg Hudson <ghudson@mit.edu>, "krbdev@mit.edu Dev List"
<krbdev@mit.edu>, Simo Sorce <simo@redhat.com>,
Nico Williams <nico@cryptonector.com>, rharwood@redhat.com,
Andrew Bartlett <abartlet@samba.org>
Message-ID: <a020fdcd-d8fc-f08d-4059-bdcb87407454@samba.org>
Subject: Re: Current semantics for channel-bindings in GSSAPI
References: <CAC-fF8QdP9vRMMfxsxHL-APvsTRwdktbeiR0HrqjxYAE_To4Xg@mail.gmail.com>
<18cdd00f-f939-3d4b-1ef8-588af3a097fe@mit.edu>
<25a3f366-b53b-76ec-24db-4761494f093f@samba.org>
<CAC-fF8T6y2FKHS9fO62kVKKuB22VTEdjLhDZA+=UnVWiaqM56g@mail.gmail.com>
<CAC-fF8SOMeOMXubqK-27jhS4fALu-jM4=nue466hHLwmHOGvYQ@mail.gmail.com>
<73d92c4b-ac14-b6ed-40ca-3c2ddc89dcc9@samba.org>
<CAC-fF8RMQCFbLSZ=dBqpOuPSxGtpP=CBAYo_pA--M90pqwcDsw@mail.gmail.com>
In-Reply-To: <CAC-fF8RMQCFbLSZ=dBqpOuPSxGtpP=CBAYo_pA--M90pqwcDsw@mail.gmail.com>
--hVWuauPZAXmdRmGNqVWPltiWN1sPIU74O
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
Am 10.03.20 um 16:34 schrieb Isaac Boukris:
> On Tue, Mar 10, 2020 at 4:23 PM Stefan Metzmacher <metze@samba.org> wro=
te:
>>
>> Hi Issac,
>>
>>> As discussed last week, we want the following changes.
>>>
>>> - MIT should match Heimdal behavior and only error if client bindings=
>>> are not all zeros.
>>> - Both Heimdal/MIT should return channel-bound flag if the bindings d=
id match.
>>> - Both Heimdal/MIT should take advantage of KERB_AP_OPTIONS_CBT if
>>> present if authenticator, in which case if the server passed bindings=
>>> they must match.
>>> - Both Heimdal/MIT should provide a conf option to asset the client
>>> system supports channel-bindings, causing KERB_AP_OPTIONS_CBT to be
>>> sent in any ap-req.
>>>
>>> I submitted wip PR #1047 upstream MIT based on the above.
>>>
>>> @metze, would that satisfy samba's requirements?
>>
>> I looked briefly and the core changes look good,
>> but (as always :-) I think krb5.conf option alone are unflexible
>> and I'd really like to get rid of autogenerated krb5.conf files and
>> global exporting "KRB5_CONFIG". So APIs to turn this on from the
>> application would be great.
>=20
> Ok, so we'd need a new cred-option to override it by the application.
If we can agree on a way to implement that:-)
Using gss_set_cred_option() would be the simplest solution,
but it got rejected for GSS_KRB5_CRED_NO_TRANSIT_CHECK_X.
Passing cred_store to gss_acquire_cred_from() would also work
and I'm not sure if/how gss_create_sec_context() +
gss_set_sec_context_option() would work.
gss_set_sec_context_option() would be the most flexible way
and may be useful for more things I plan to implement.
metze
--hVWuauPZAXmdRmGNqVWPltiWN1sPIU74O--
--qhHN5yO3s5VQRFUwk0HrRQlx8R9WqB4r4
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEfFbGo3YXpfgryIw9DbX1YShpvVYFAl5nuB8ACgkQDbX1YShp
vVZbNQ/+Ox9dBdqXWrwfUyfzxwc9SZSILN8nqqEKVpCswnTIboiWvLERBQU98oOH
BkTj6U7PI8dBsdyTTlbTqJ4hxqTVLTMvrh/L6mYxj9ssAalN1DwuP4+Bt+GV4tCd
JbC1akgmDJ/xIIfQUaj2bN4mFPhqiEh9EKgzXTitslv3Pw1Zvq23WLrae6cfdRMc
4XHeUQP1B4Wi310ELjGQ71eoWTyQ+VlaE5op8GN+6dlgzkQnvQ3aPpaj3cog7Qdg
jxLdasOA75Yryds0aikMMagSqPqAzucWuiT+9Md6J/p8schz/MqDP1ARmHdfCpRc
pQW5mgyC0t4ZAnWGgFeX1bNfema01WbA21dl/Rl5j12LFEhNNDfRGJ1qcVvecAH7
p4rhMt2zGjR2tTJenwgRzCCWb1pwwxHcdSyhSkmqIkOXsE1SQ/UYc+2phhWcOYCA
TTqgbbTIh+lDlafE/c3VGQiU1i9bE6VLgh6j9JhLST2+ojZwgAG9Dyb+kydc/Af4
9WADu0gAPOBxCSK7LsdbPn74vOJdXnVSLiLum/qf7CcP6D6qs4Z4q7QNnCsYz5g6
dImppVrHXXWMkRFTW7iLqdPGxarRgw3/+DlVG1m6hOPB5PeJLAAWcDU3NW29L3hS
Iv1uIScvXAOV94+b7ZintPkOBq8sVyhhWNIZx1zsd3BzdvCJowQ=
=fqwI
-----END PGP SIGNATURE-----
--qhHN5yO3s5VQRFUwk0HrRQlx8R9WqB4r4--
--===============3291235352845350701==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
--===============3291235352845350701==--
