[krbdev.mit.edu #3923] [Simon Josefsson] Re: RFC4120

Sam Hartman via RT rt-comment at krbdev.mit.edu
Thu Jun 22 09:35:46 EDT 2006


Return-Path: <owner-ietf-krb-wg-outgoing at anl.gov>
Received: from solipsist-nation ([unix socket])
	by solipsist-nation (Cyrus v2.1.16-IPv6-Debian-2.1.16-10) with LMTP;
	Thu, 22 Jun 2006 09:25:33 -0400
X-Sieve: CMU Sieve 2.2
Return-Path: <owner-ietf-krb-wg-outgoing at anl.gov>
Received: from south-station-annex.mit.edu (SOUTH-STATION-ANNEX.MIT.EDU
	[18.72.1.2])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by suchdamage.org (Postfix) with ESMTP id 094B41324F
	for <hartmans at suchdamage.org>; Thu, 22 Jun 2006 09:25:32 -0400 (EDT)
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU
	[18.7.7.76])
	by south-station-annex.mit.edu (8.13.6/8.9.2) with ESMTP id
	k5MDPV62019127
	for <hartmans at suchdamage.org>; Thu, 22 Jun 2006 09:25:31 -0400 (EDT)
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50])
	by fort-point-station.mit.edu (8.13.6/8.9.2) with ESMTP id
	k5MDPNt3004706; Thu, 22 Jun 2006 09:25:23 -0400 (EDT)
Received: by mailhost.anl.gov (Postfix)
	id 2B3B21C3; Thu, 22 Jun 2006 08:25:21 -0500 (CDT)
Delivered-To: ietf-krb-wg-outgoing at anl.gov
Received: from mailhost.anl.gov (localhost [127.0.0.1])
	by localhost.ctd.anl.gov (Postfix) with ESMTP id F23E219C
	for <ietf-krb-wg-outgoing at anl.gov>;
	Thu, 22 Jun 2006 08:25:20 -0500 (CDT)
Received: by mailhost.anl.gov (Postfix, from userid 10733)
	id E0B421C3; Thu, 22 Jun 2006 08:25:20 -0500 (CDT)
X-Original-To: ietf-krb-wg at anl.gov
Delivered-To: ietf-krb-wg at anl.gov
Received: from mailhost.anl.gov (localhost [127.0.0.1])
	by localhost.ctd.anl.gov (Postfix) with ESMTP id 5DD761BF
	for <ietf-krb-wg at anl.gov>; Thu, 22 Jun 2006 08:25:20 -0500 (CDT)
Received: from mailrelay.anl.gov (mailrelay.anl.gov [130.202.101.22])
	by mailhost.anl.gov (Postfix) with ESMTP id 3408619C
	for <ietf-krb-wg at anl.gov>; Thu, 22 Jun 2006 08:25:16 -0500 (CDT)
Received: from mailrelay.anl.gov (localhost [127.0.0.1])
	by localhost.ctd.anl.gov (Postfix) with ESMTP id 502C65F0CE4;
	Thu, 22 Jun 2006 08:25:14 -0500 (CDT)
Received-SPF: none (frigga.ctd.anl.gov: domain of jas at extundo.com does not
	designate permitted sender hosts)
Received: from yxa.extundo.com (178.230.13.217.in-addr.dgcsystems.net
	[217.13.230.178])
	by mailrelay.anl.gov (Postfix) with ESMTP id 8EDFD5F0CB1
	for <ietf-krb-wg at anl.gov>; Thu, 22 Jun 2006 08:25:07 -0500 (CDT)
Received: from localhost.localdomain (yxa.extundo.com [217.13.230.178])
	(authenticated bits=0)
	by yxa.extundo.com (8.13.4/8.13.4/Debian-3sarge1) with ESMTP id
	k5MDP2Ph017527
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Thu, 22 Jun 2006 15:25:03 +0200
From: Simon Josefsson <jas at extundo.com>
To: Sam Hartman <hartmans-ietf at mit.edu>
Cc: "Shawn M. Emery" <Shawn.Emery at Sun.COM>, martin.rex at sap.com,
	Durbin_Ron at emc.com, ietf-krb-wg at anl.gov
Subject: Re: RFC4120
References: <200606192125.XAA18319 at uw1048.wdf.sap.corp>
	<tsl1wtijtd8.fsf at cz.mit.edu> <44998FB3.5050203 at sun.com>
	<87bqsl1pqy.fsf at latte.josefsson.org> <tslwtb9fjyu.fsf at cz.mit.edu>
OpenPGP: id=B565716F; url=http://josefsson.org/key.txt
X-Hashcash: 1:22:060622:durbin_ron at emc.com::xkLicOQeOTWLip8G:1g35
X-Hashcash: 1:22:060622:shawn.emery at sun.com::zfymAT2SVYQ/unlR:B/Tt
X-Hashcash: 1:22:060622:martin.rex at sap.com::Y6vS2jF3rbDteJPM:ITrq
X-Hashcash: 1:22:060622:ietf-krb-wg at anl.gov::iTlp680teXocag44:QSy6
X-Hashcash: 1:22:060622:hartmans-ietf at mit.edu::vUwlk7es9PMXDwV8:GFcm
Date: Thu, 22 Jun 2006 15:25:03 +0200
In-Reply-To: <tslwtb9fjyu.fsf at cz.mit.edu> (Sam Hartman's message of "Thu, 22
	Jun 2006 08:33:45 -0400")
Message-ID: <873bdxz5jk.fsf at latte.josefsson.org>
User-Agent: Gnus/5.110006 (No Gnus v0.6) Emacs/22.0.50 (gnu/linux)
X-Virus-Scanned: ClamAV version 0.88.2,
	clamav-milter version 0.88.2 on yxa.extundo.com
X-Virus-Status: Clean
Sender: owner-ietf-krb-wg at mailhost.anl.gov
Precedence: bulk
X-Scanned-By: MIMEDefang 2.42
X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on 
	solipsist-nation.suchdamage.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.4 required=5.0 tests=BAYES_00,FORGED_RCVD_HELO 
	autolearn=ham version=3.0.2
MIME-Version: 1.0

Sam Hartman <hartmans-ietf at mit.edu> writes:

>>>>>> "Simon" == Simon Josefsson <jas at extundo.com> writes:
>
>     Simon> "Shawn M. Emery" <Shawn.Emery at Sun.COM> writes:
>     >>> Notable differences include support for AES which is mandated
>     >>> by RFC 4120, but which will not be hugely common until Windows
>     >>> Vista ships.  MIT, Heimdal, Solaris and Apple have had AES for
>     >>> a hile now, though.
>     >>> 
>     >>  There are a number of implementations that don't enforce
>     >> requirements made by RFC 4120.  For example:
>     >> 
>     >> Implementations of Kerberos and protocols based on Kerberos
>     >> MUST NOT use insecure DNS queries to canonicalize the hostname
>     >> components of the service principal names (i.e., they MUST NOT
>     >> use insecure DNS queries to map one name to another to
>     >> determine the host part of the principal name with which one is
>     >> to communicate).
>
>     Simon> There are several other examples:
>
>     Simon> 1) Nobody else's implementation that I've tested seem to
>     Simon> behave according to RFC 4120 wrt to the high bit set on TCP
>     Simon> connections.
>
> Really?
> MIt certainly intended to behave correctly.
> Do you have a simple test case?  If you could describe the problem within the next day or so, we could probably get a fix into 1.5.

The details were posted in:

http://article.gmane.org/gmane.ietf.krb-wg/4342

I confirmed this again with Debian's krb5-kdc version 1.4.3-7.

To test this, just send a message with all bits set:

jas at latte:~$ printf "\xff\xff\xff\xff" | nc localhost 88

The KDC closes the connection and logs:

Jun 22 15:19:01 localhost krb5kdc[5081]: TCP client 127.0.0.1.44841 wants 4294967295 bytes, cap is 1048572

It would be useful to have one implementation that behaves according
to RFC 4120 to test with, when Shishi tries to use the extension
mechanism against a server that doesn't support it.

/Simon






More information about the krb5-bugs mailing list