[Dovecot] GSSAPI cross-realm fixed
Bryan Jacobs
no at landwarsin.asia
Wed Jul 8 03:40:02 EEST 2009
On Tue, 07 Jul 2009 20:27:57 -0400
Timo Sirainen <tss at iki.fi> wrote:
> On Tue, 2009-03-03 at 13:56 -0500, Bryan Jacobs wrote:
> > Attached is a patch which in my environment (Linux/Heimdal 1.2.1)
> > fixes cross-realm GSSAPI authentication.
> >
> > Changes it makes:
> > 1. When using krb5_kuserok, do not call gss_compare_name to check
> > that authn_name and authz_name are the same. Instead, make TWO
> > calls to krb5_kuserok, one for each ID. If both IDs are
> > acceptable, allow the login.
>
> I'm just wondering. Is the authz_name check really necessary?
> Simplified, the code is basically:
>
> krb5_parse_name(ctx, username, &princ);
> ok = krb5_kuserok(ctx, princ, username);
>
> Are there really situations where the above code produces ok=FALSE?
>
> Also do you have any ideas why after your patch it fails here:
> http://dovecot.org/list/dovecot/2009-June/040672.html
>
> Maybe instead of always using krb5_userok() it's used only when
> authn_name != authz_name?
I haven't looked at the source code of krb5_kuserok so I can't say for
sure. The issue is that one user can AUTHeNticate and then request
AUTHoriZation for a different mailbox (as in, foo at bar.com could be OK
for the mailbox foo at baz.com). Your idea of using krb5_kuserok when
authn_name != authz_name sounds very good to me - a principal should
always be allowed to act in its own name. Perhaps lha should be
consulted first, though.
I don't know why the case you cite fails - they ARE using MIT Kerberos
(Heimdal klist output looks different from what they pasted), so it
could be that krb5_kuserok functions differently there.
Bryan Jacobs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 835 bytes
Desc: not available
Url : http://dovecot.org/pipermail/dovecot/attachments/20090707/2ce8652d/attachment.bin
More information about the dovecot
mailing list