Security Factor with GSSAPI (MIT Compat/Cyrus-SASL 2.1.27 compatibility)

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Security Factor with GSSAPI (MIT Compat/Cyrus-SASL 2.1.27 compatibility)

Quanah Gibson-Mount-2
Historically, the SSF value in Cyrus-SASL for GSSAPI connections has been
hard coded to "56" (DES).  The MIT project added capability to provide back
a derived SSF for Cyrus-SASL to use.  However, Heimdal does not appear to
have a corresponding value that can be passed into Cyrus-SASL.  This has
been a significant issue for years, and it would be nice to be able to
obtain the same information regardless of Kerberos implementation.

In the MIT code, this is provided via:
GSS_C_SEC_CONTEXT_SASL_SSF

Is there something similar in Heimdal that I'm missing, or should I open an
issue on GitHub for this functionality to be added?

Thanks!

Warm regards,
Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>

Reply | Threaded
Open this post in threaded view
|

Re: Security Factor with GSSAPI (MIT Compat/Cyrus-SASL 2.1.27 compatibility)

Quanah Gibson-Mount-2
--On Monday, August 20, 2018 2:12 PM -0700 Quanah Gibson-Mount
<[hidden email]> wrote:

> In the MIT code, this is provided via:
> GSS_C_SEC_CONTEXT_SASL_SSF
>
> Is there something similar in Heimdal that I'm missing, or should I open
> an issue on GitHub for this functionality to be added?

Ok, in reading the code, the issue is deeper than that
(GSS_C_SEC_CONTEXT_SASL_SSF is set in cyrus-sasl if the implementation is
Heimdal).  The actual issue is apparently the
gss_inquire_sec_context_by_oid function returns data with MIT Kerberos
that's not available with Heimdal.

I'll open a ticket in this regard.

--Quanah




--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>