Attached is a patch which in my environment (Linux/Heimdal 1.2.1) fixes cross-realm GSSAPI authentication. Changes it makes: 1. When using krb5_kuserok, do not call gss_compare_name to check that authn_name and authz_name are the same. Instead, make TWO calls to krb5_kuserok, one for each ID. If both IDs are acceptable, allow the login. 2. Disable checking that the name is a GSS_KRB5_PRINCIPAL_NAME, as this doesn't appear to be always the case for the authz_name. If I create a .k5login listing both username at REALM1 and username at REALM2, and make that file follow the appropriate security restrictions (world read, user only write permissions), this lets me use GSSAPI logins with principals from either REALM1 or REALM2. This leaves untouched the behavior in the case where krb5_kuserok is not available. Bryan Jacobs -------------- next part -------------- A non-text attachment was scrubbed... Name: userok.patch Type: text/x-patch Size: 2644 bytes Desc: not available URL: <http://dovecot.org/pipermail/dovecot/attachments/20090303/4fe4b3ae/attachment-0004.bin> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: not available URL: <http://dovecot.org/pipermail/dovecot/attachments/20090303/4fe4b3ae/attachment-0005.bin>
On Tue, 2009-03-03 at 13:56 -0500, Bryan Jacobs wrote:> Changes it makes: > 1. When using krb5_kuserok, do not call gss_compare_name to check that > authn_name and authz_name are the same. Instead, make TWO calls to > krb5_kuserok, one for each ID. If both IDs are acceptable, allow the > login.Sounds good.> 2. Disable checking that the name is a GSS_KRB5_PRINCIPAL_NAME, as > this doesn't appear to be always the case for the authz_name.Is there any downside to this check? Can something bad happen if it's not a principal name? I left the check there now for authn_name. Committed: http://hg.dovecot.org/dovecot-1.2/rev/ff6378d7b209 And then I noticed that the last equal_authn_authz check most likely shouldn't have been changed, so reversed it: http://hg.dovecot.org/dovecot-1.2/rev/601e0382b442 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20090313/d17b0531/attachment-0002.bin>
On Tue, 2009-03-03 at 13:56 -0500, Bryan Jacobs wrote:> Attached is a patch which in my environment (Linux/Heimdal 1.2.1) fixes > cross-realm GSSAPI authentication. > > Changes it makes: > 1. When using krb5_kuserok, do not call gss_compare_name to check that > authn_name and authz_name are the same. Instead, make TWO calls to > krb5_kuserok, one for each ID. If both IDs are acceptable, allow the > login.I'm just wondering. Is the authz_name check really necessary? Simplified, the code is basically: krb5_parse_name(ctx, username, &princ); ok = krb5_kuserok(ctx, princ, username); Are there really situations where the above code produces ok=FALSE? Also do you have any ideas why after your patch it fails here: http://dovecot.org/list/dovecot/2009-June/040672.html Maybe instead of always using krb5_userok() it's used only when authn_name != authz_name? -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part Url : http://dovecot.org/pipermail/dovecot/attachments/20090707/548f1886/attachment.bin
Apparently Analagous Threads
- GSSAPI cross-realm still broken
- authn_name and authz_name differ: not supported
- [PATCH] Support for GSSAPI SASL Mechanism
- Crossrealm Kerberos problems
- OpenSSH and Kerberos / Active Directory authentication problems: Credentials cache permission incorrect / No Credentials Cache found