[linux-cifs-client] Re: [PATCH] Add support for using server supplied principal (mic option)

Jeff Layton jlayton at redhat.com
Mon Aug 25 01:25:01 GMT 2008


On Mon, 25 Aug 2008 00:11:13 +0100
Love Hörnquist Åstrand <lha at kth.se> wrote:

> 
> 24 aug 2008 kl. 23.38 skrev Andrew Bartlett:
> 
> > On Sun, 2008-08-24 at 19:40 +0400, Q (Igor Mammedov) wrote:
> >> Add support for using server supplied principal (mic option)
> >
> > As this is a non-standard extension, and has nasty security properties
> > (connect to one server name, but get a ticket to a completely  
> > different
> > name), shouldn't we be trying to use the server-supplied principal  
> > less,
> > rather than more?  (Windows clients have never used it)
> 
> You should avoid using the hostname in mic.
> 
> And you should force the gssapi library to avoid doing host  
> canonization. I think the only way to do this is to use the name-type  
> GSS_KRB5_NT_PRINCIPAL_NAME,
> 
> Love
> 
> 

Everything I've read does say that windows clients don't use the
contents of the MIC field. The idea was that this would be useful for
allowing kerberos auth in situations where clients and servers have
differing ideas about the hostname of the server (either broken DNS or
maybe trying to mount a CNAME).

I'll confess though that I haven't thought through the security
implications fully here. Obviously, we don't want to do this if it's
dangerous...

So that I understand correctly, what exactly is the risk of using the
server-provided principal?

-- 
Jeff Layton <jlayton at redhat.com>


More information about the linux-cifs-client mailing list