Fixes for S3 DCE/RPC GSSAPI with Heimdal
Andrew Bartlett
abartlet at samba.org
Wed Apr 20 19:16:27 MDT 2011
On Wed, 2011-04-20 at 17:05 +1000, Andrew Bartlett wrote:
> Luke,
>
> Am I correct in saying that MIT kerberos versions (1.6?) that don't
> provide gss_get_name_attribute() also do not provide any way for the
> caller to verify the PAC? In particular, I can't see a way to get the
> service keyblock back from GSSAPI.
>
> The reason I ask is that it seems that it is impossible to securely use
> the PAC in versions 1.6 and below, and I want to ensure we don't release
> Samba 3.6 with a security hole.
>
> Simo,
>
> If this is the case, should we simply decide not to support GSSAPI
> secured RPC against MIT 1.6? (that version I think had gss_wrap_iov but
> not gss_get_name_attribute).
>
> I am writing a wrapper that checks the name and timestamp, but this
> seems pointless if we don't check the actual signature on the PAC.
See
http://git.samba.org/?p=abartlet/samba.git/.git;a=shortlog;h=refs/heads/krb5-fix for my latest patch set.
Ironically, in the success case the release_oid fix isn't required.
This bothers me - we should look into if we are just leaking it.
This works for the top level build and autoconf, and I think it's ready
for your review. I'm having difficulty with the s3-waf build, I'll keep
nutting at it and get Tridge's help on that when he is available.
I'll move Samba4 to also use this function when I get a chance.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical
mailing list