GSS-SPNEGO Re: Cyrus-sasl Digest, Vol 136, Issue 10

Wed Feb 22 13:12:38 EST 2017

On 02/22/2017 09:00 AM, cyrus-sasl-request at lists.andrew.cmu.edu wrote:
> Send Cyrus-sasl mailing list submissions to
> 	cyrus-sasl at lists.andrew.cmu.edu
>
> To subscribe or unsubscribe via the World Wide Web, visit
> 	https://lists.andrew.cmu.edu/mailman/listinfo/cyrus-sasl
> or, via email, send a message with subject or body 'help' to
> 	cyrus-sasl-request at lists.andrew.cmu.edu
>
> You can reach the person managing the list at
> 	cyrus-sasl-owner at lists.andrew.cmu.edu
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Cyrus-sasl digest..."
>
>
> Today's Topics:
>
>     1. Re: Is anyone using GSS-SPNEGO in cyrus-sasl? (Ken Murchison)
We are shipping it enable-able in that libsasl2 will find it in .h 
files,  but I doubt if anyone is using it.  We expect customers may want 
it.   My notes say we can't get testsuite to work with that enabled.

When fixing it for Windows, can hooks be put in to allow for future 
configure changes to set up different behavior on Linux or Solaris? Or 
programmed in a modular way?
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 21 Feb 2017 13:30:44 -0500
> From: Ken Murchison <murch at andrew.cmu.edu>
> To: cyrus-sasl at lists.andrew.cmu.edu
> Subject: Re: Is anyone using GSS-SPNEGO in cyrus-sasl?
> Message-ID: <e2d450a2-f7cb-8671-57d7-5d0b5e5cdd3a at andrew.cmu.edu>
> Content-Type: text/plain; charset=utf-8; format=flowed
>
> At first glance, this patch looks sane.  I will commit it shortly.
>
>
> On 02/21/2017 10:34 AM, Jakub Jelen wrote:
>> On 02/21/2017 03:52 PM, Simo Sorce wrote:
>>> Hello all,
>>>
>>> On Tue, 2017-02-21 at 15:36 +0100, Jakub Jelen wrote:
>>>> Hello all,
>>>> we are working in support for GSS-SPNEGO, but there is a problem that
>>>> current implementation (RFC) is not compatible with the only other
>>>> implementation we know about on Windows.
>>> I just want to clarify that the RFC in question is RFC 4559 (at least
>>> according to the commit messages in git that introduced the GSS-SPNEGO
>>> mechanism in 2011). This RFC does not document how to implement
>>> GSS-SPNEGO, but only how to use the GSSAPI SPNEGO mechanism for HTTP
>>> auth.
>>>
>>> The GSS-SPNEGO implementation in cyrus-sasl has been always incorrect,
>>> and worked for HTTP auth solely because all SSF layer negotiation is not
>>> performed at all in that case as HTTP is handled via a special flag.
>>>
>>> Cyrus-sasl's GSS-SPNEGO implementation is self consistent, but it has
>>> never worked (either client or server) against the reference
>>> implementation (Microsoft Windows OSs).
>>>
>>>> Is there anyone using the GSS-SPNEGO against something else than
>>>> Windows?
>>>>
>>>> We would like to modify this behavior to work with Windows and we would
>>>> like to estimate what can be broken by the modification of this
>>>> behavior
>>>> and what are the possibilities to support backward compatibility. I
>>>> would be glad for any input.
>>> The patch here:
>>> https://github.com/simo5/cyrus-sasl/commit/72b01964a240da457783f0651bef0ff9f146eb3b
>>>
>>> fixes the behavior of GSS-SPNEGO to work against Windows Servers and to
>>> let Windows clients work against cyrus-sasl servers.
>>>
>>> This has been tested with ldap client tools against an AD server using
>>> Kerberos credentials, and using ldp.exe on an Active Directory client
>>> against a 389ds LDAP server.
>>>
>>> This patchset breaks compatibility with the older GSS-SPNEGO
>>> implementation but does not change the behavior for the GSSAPI one.
>>> It also does not break HTTP auth behavior as that case still shortcuts
>>> SSF negotiation which is the only thing changed by this patch.
>>>
>>> If this patch is ok I will open a PR or send it to the mailing list if
>>> that's preferred.
>>>
>>> Simo.
>>>
>>> NOTE: I am not subscribed to the ML, please keep me in CC.
>> Re-sending more comments from Simo, since his answer was rejected from
>> the ML.
>>
>> Jakub


-- 
Jan Parcel, Developer Oracle Systems, SPARC & Solaris System Software 
Engineering