[RFC] fix bug 12007

Simo simo at samba.org
Wed Jul 6 20:04:51 UTC 2016 

On Wed, 2016-07-06 at 16:02 -0400, Simo wrote:
> On Wed, 2016-07-06 at 09:49 +0200, Stefan Metzmacher wrote:
> > 
> > Hi Simo,
> > 
> > > 
> > > 
> > > > 
> > > > 
> > > > > 
> > > > > 
> > > > > What flags are passed in ? Can you point me at the code path
> > > > > that
> > > > > generates this ?
> > > > > 
> > > > It's in the default gse context flags.
> > > > In  gse_context_init(), we have:
> > > > 
> > > >         gse_ctx->gss_want_flags = GSS_C_MUTUAL_FLAG |
> > > >                                 *GSS_C_DELEG_FLAG* |
> > > This *must* definitely be made conditional IMHO, it is not ok to
> > > just
> > > send your TGT by default to third parties, it means
> > > malicious/compromised 3rd parties can simply grab it and then
> > > fully
> > > impersonate you to other services.
> > It's the KDC's job to check that it trusts the service and include
> > the delegated creds only if that's the case.
> This is not enforced by the KDC, it is something the
> GSS_C_DELEG_POLICY_FLAG does by inspecting the answers from the KDC,
> but the KDC itself does not make a hard policy decision, it is up to
> the client to follow it.
> 
> I know the flag is request (the very next) flag, but I think we
> should
> not ask for delegatable credentials in the first place if we do not
> intend to delegate credentials for a specific operation.
> 
> Delegating credentials (ie a TGT) should limited to trusted systems
> and
> services (like SSH), all other services can simply use constrained
> delegation to perform actions on behalf of users.

Doh all this and forgot to make the main point :-)

RFC5896 explicitly states:
"If the initiator sets both the deleg_req_flag and
   deleg_policy_req_flag, delegation will be attempted unconditionally.
   When delegation is successful, deleg_state will return TRUE in the
   initiator and acceptor.  When delegation was successful, the
   deleg_state will return TRUE in the initiator and acceptor.
   Additionally, if the mechanism-specific policy recommended
   delegation, the deleg_policy_state will additionally return TRUE for
   the initiator (only)."

So by setting both flags we are basically attempting to *always*
unconditionally delegate credentials, and this is bad.

Simo.

More information about the samba-technical mailing list