[RFC] fix bug 12007
Simo
simo at samba.org
Wed Jul 6 20:04:51 UTC 2016
On Wed, 2016-07-06 at 16:02 -0400, Simo wrote:
> On Wed, 2016-07-06 at 09:49 +0200, Stefan Metzmacher wrote:
> >
> > Hi Simo,
> >
> > >
> > >
> > > >
> > > >
> > > > >
> > > > >
> > > > > What flags are passed in ? Can you point me at the code path
> > > > > that
> > > > > generates this ?
> > > > >
> > > > It's in the default gse context flags.
> > > > In gse_context_init(), we have:
> > > >
> > > > gse_ctx->gss_want_flags = GSS_C_MUTUAL_FLAG |
> > > > *GSS_C_DELEG_FLAG* |
> > > This *must* definitely be made conditional IMHO, it is not ok to
> > > just
> > > send your TGT by default to third parties, it means
> > > malicious/compromised 3rd parties can simply grab it and then
> > > fully
> > > impersonate you to other services.
> > It's the KDC's job to check that it trusts the service and include
> > the delegated creds only if that's the case.
> This is not enforced by the KDC, it is something the
> GSS_C_DELEG_POLICY_FLAG does by inspecting the answers from the KDC,
> but the KDC itself does not make a hard policy decision, it is up to
> the client to follow it.
>
> I know the flag is request (the very next) flag, but I think we
> should
> not ask for delegatable credentials in the first place if we do not
> intend to delegate credentials for a specific operation.
>
> Delegating credentials (ie a TGT) should limited to trusted systems
> and
> services (like SSH), all other services can simply use constrained
> delegation to perform actions on behalf of users.
Doh all this and forgot to make the main point :-)
RFC5896 explicitly states:
"If the initiator sets both the deleg_req_flag and
deleg_policy_req_flag, delegation will be attempted unconditionally.
When delegation is successful, deleg_state will return TRUE in the
initiator and acceptor. When delegation was successful, the
deleg_state will return TRUE in the initiator and acceptor.
Additionally, if the mechanism-specific policy recommended
delegation, the deleg_policy_state will additionally return TRUE for
the initiator (only)."
So by setting both flags we are basically attempting to *always*
unconditionally delegate credentials, and this is bad.
Simo.
More information about the samba-technical
mailing list