-
Notifications
You must be signed in to change notification settings - Fork 150
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cyrus-sasl can't gssapi + ldaps + maxssf=1 anymore? #419
Comments
Holy crap. Is this bug really from 2014? http://web.archive.org/web/20140725050152/https://bugzilla.cyrusimap.org/show_bug.cgi?id=3480 |
2015? The bug says it was filed in 2011. ;)
|
On 02/14/2017 03:44 PM, Quanah Gibson-Mount wrote:
2015? The bug says it was filed in 2011. ;)
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#419 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AWZUIyDg35wyC8fcC1N3dSOx_BGOXayRks5rcjxegaJpZM4L-S_F>.
Not wrt that bug (though it sure sounds familiar) but do we have to
learn to use git in order to pass fixes or
contributions upstream?
(I have a passel of man pages and a few possible bug fixes to contribute.)
…--
Jan Parcel, Developer Oracle Systems, SPARC & Solaris System Software
Engineering
|
I'm not part of the dev team, so couldn't say for sure, but my guess would be yes, you should spend the time to learn how to use git and how to create merge requests via github. But that's just a best guess. :) |
@ksmurchison Will this be addressed by the patch discussed in ML? |
Please attach the patch to this issue or create a pull request with the fix |
@ksmurchison I can't connect to the cyrus bugzilla where the patch is attached, it's not in the wayway back machine, and it doesn't appear to have been posted to the debian list discussion. Were the bugzilla attachments preserved when it was migrated to github? |
I thought the script that @brong used to migrate from bugzilla was supposed to preserve attachments. I will have to ask. |
@ksmurchison I will see if it is in the debian cyrus-sasl patch set as well |
Hm, I don't see a patch specifically referencing the debian bug. However, they do have 35 patches to the 2.1.26 source that may be worth reviewing. |
See that we had a lot of patches downstream in fedora which probably they are the same in debian that were already pushed to master |
@nacho I'm checking them now. The first one I checked is not currently committed into the SASL project. |
Pull requests would be greatly appreciated |
@ksmurchison Yep, as soon as I get a full list :) |
Commit that broke things was 080e51c |
@aamelnikov Can you give this a look? I also assigned a bunch of other GSSAPI/Kerberos bugs to you |
@quanah the patch is just a revert of 080e51c without the whitespace changes. [1] https://lists.andrew.cmu.edu/pipermail/cyrus-sasl/2015-April/002809.html |
@Jakuje Also, reading that response you linked to, it appears to say the code was RFC compliant w/o the patch as well... |
maxssf controls SSF provided by a combination of external SSF (e.g. TLS) and the mechanism SSF. If you are using ldaps, you are likely already getting 128+ SSF. So when you also include "maxssf=1", this means that GSSAPI can't satisfy the request, because external SSF (say 128) + mech ssf (say 0) > maxssf of 1. Basically GSSAPI can't comply with the request. So can you try "maxssf=N+1", where N is the TLS SSF (symmetric cipher strength)? There might be other problems with the patch, but at the moment what you are trying to do is not legal. |
@aamelnikov Your analysis is incorrect. The "-O" parameter to ldapsearch involves the SASL security strength layer, not the TLS security strength layer. ```
|
@ksmurchison any update on this? @aamelnikov seems nowhere to be found. The referenced email thread does not indicate that fixing this would be contrary to the specs. |
I talked to Ken and I am pretty sure that the proposed patch (to roll back an earlier change) is incorrect.
(*) The way how (max_ssf - external_ssf) < 0 is handled in different plugins is not entirely consistent and it might result in ssf = 0 in some, while others might stop working altogether. This is something that needs fixing in Cyrus SASL, but that is definitely to the fix suggested in this thread.
I suspect that no SASL security layer is negotiated for max_ssf = 1 + ldaps, which means that the code is not working as you expect anyway. Having said that, I don't claim that the code is perfect or even that is working as intended. In order to make progress on this issue I will need some help from people, in particular, I will need the following information: Some confirmation on whether external SSF is non 0 (I can provide a debug patch for this). |
We have some automated tests against older version of cyrus-sasl and some MSADs, but I am not sure if I tested the latest rc with the patch reverted or not. |
I am sorry for delay. I finally built the latest snapshot, but I am hitting some other issues with cyrus-sasl in the tests so I will have to investigate it further what is going on. |
Unfortunately I can confirm that the old version we have in Fedora works fine against ADs, but not the latest rc7 (unless I revert the commit 080e51c). I can only say that the committed change did not fix the problem we encountered. I will try to investigate more what went wrong if I will be able to figure out more, but I can't promise anything. Unfortunately, the test case itself would not be helpful since it depends on internal AD servers we test against. But the test does not involve anything more complicated than a ldapsearch:
The connection does not work regardless the |
@Jakuje Thanks for the confirmation that this problem is not fixed, as suspected. |
Sorry, I had partially bad look, but the result is that it does not work flawlessly "as before". The test is running various maxssf values against various servers (IPA, AD), probably with different versions. I would have to look into that further For IPA2 server (probably RHEL7?), it works flawlessly All the others i see failures with
The tested values I am not completely sure how to interpret these results, since it is change from previous versions, but "reasonable" values seems to work. What do you think? |
On 2/13/2018 9:39 AM, Jakub Jelen wrote:
Sorry, I had partially bad look, but the result is that it does not
work flawlessly "as before". The test is running various maxssf values
against various servers (IPA, AD), probably with different versions. I
would have to look into that further
For IPA2 server (probably RHEL7?), it works flawlessly
All the others i see failures with |maxssf=0| and |maxssf=4294967296|
(bogus large enough value?). The error now looks this way:
|SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local
error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: A
required input parameter could not be read (Unknown error) |
The tested values |maxssf=1| and |maxssf=56| work fine in all the
cases that I tested.
I am not completely sure how to interpret these results, since it is
change from previous versions, but "reasonable" values seems to work.
What do you think?
I would expect a check of the value and an explicit error message saying
what the limit is and that it exceeded that limit.
…
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#419 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AWZUI0QfjXE84Jj-HFT2aH03gBv4WgDlks5tUcjlgaJpZM4L-S_F>.
--
Jan Parcel, Software Developer
Oracle Systems Server & Cloud Engineering
|
With 1932 maj_stat = gss_unwrap(&min_stat, I did not go deeper into the gssapi code to investigate further. I have the test system if you would have some ideas what more I can try. |
See the response in #433 (comment) |
So let's revert this change finally, and do a release? Or is there any more feedback needed? Or shall we also work on addressing the referenced FIX ME? |
…ssed to gss_init_sec_context()) - Issue #419
This can be closed now, right @ksmurchison ? Since 2.1.27 has released with your commit. ;) |
@ksmurchison Just stumbled upon this. With e41cfb9 reverting 080e51c https://github.com/cyrusimap/cyrus-sasl/blob/master/plugins/gssapi.c#L1762-L1774 does not comply with RFC 4752, section 3.1:
anymore. |
@michael-o Please read the full discussion. This was already referenced in the ticket, but again: https://lists.andrew.cmu.edu/pipermail/cyrus-sasl/2015-April/002809.html This was also discussed directly with the Heimdal Kerberos team and Ken Hornstein at the time this was being reviewed to confirm that this code change does in fact comply with the RFC. |
@quanah I have read the entire thread again, all linked tickets as well as Ken Hornstein's mail. I do not understand his argumentation, it does not necessary mean that it is wrong, but it lacks description why his interpretation (!) of the RFC is not wrong. From a pure POV, leaving
Note the external SSF. |
@michael-o Please see #433 (comment) as well. |
@quanah I have read that one too. I do not fully understand what you are trying to say with that. If we put aside that SASL must check flags after the context is established, I only partially agree that |
Just to comment - RFC4752 is a bit strange here. In 3.3 we see there are only 3 defined flags on the wire:
and yet the API has 4 flags
And the mutual auth and sequence req flags don't correspond to anything in the on-the-wire At any rate, it is clear that the original intent was to allow the authentication to proceed without using integrity checks (otherwise no bitflag for integrity would be needed on the wire) so the section 3.1 text requiring integ_req_flag to always be TRUE must be erroneous. It does not appear that this has been noted in any official errata yet. https://www.rfc-editor.org/errata/rfc4752 The on-the-wire flags don't really make sense as defined; the intent is that you can specify no security layer, integrity-check-only, or integrity+confidentiality. I.e., this should be a two-bit enum, not a bitmask at all. Using a bitmask indicates that integrity and confidentiality may be selected independently but that's not in fact what is intended. |
@hyc mutual and out of sequence detection do not require any wrapping/unwrapping. You still have three: none, auth-int and auth-conf (implies auth-int). |
@michael-o sorry, edited my comment further, please see updated comment. |
Also note that the previous version of the RFC, RFC2222 section 7.2.1 didn't give any requirements on flags to use. Anyway, since the mechanisms are specifically intended to allow operating without an integrity layer, I'll reiterate that this part of RFC4752 section 3.1 is simply wrong and should be disregarded. |
@hyc If you think they are wrong, discuss this with Alexey Melnikov and request and updated RFC. |
@aamelnikov has participated on this ticket, he should already have been pinged. |
@hyc I don't see how the RFC implies a bitmask. For me it is an enum. either or. At some point in time Microsoft's SASL implementation interpreted this as a bitmask and required both bits int and conf to be set. I remember patching SASL for this for a colleague to avoid event on the domain controller. I think this issue has been resolved in never Windows Server versions. |
@michael-o Don't waste my time. The RFC says explicitly "The security layers and their corresponding bit-masks are as follows:" - it is explicit, not implied. |
And you believe it makes sense to set off and auth-conf atvthe same time? That's nonsense. It is just bad wording requiring some errata. |
@michael-o Now you're just repeating what I already said. #419 (comment) But it is not merely bad wording - this is the description of the on-the-wire format, which means any changes made here will break compatibility with any existing software. You have demonstrated that you're unable to read carefully enough to follow this conversation, and unable to reason well enough to participate. Please go away. |
@hyc Up, up, and away I am. |
The following command fails with cyrus-sasl 2.1.26:
Whereas it works fine in cyrus-sasl 2.1.23.
Is there somewhere I can submit proper logs and get advice on debugging this? Is there any chance this is a known issue with a workaround? Thanks.
The text was updated successfully, but these errors were encountered: