[krbdev.mit.edu #6594] gss_krb5_copy_ccache() doesn't work with spnego delegation

The RT System itself via RT rt-comment at krbdev.mit.edu
Thu Dec 10 23:20:53 EST 2009 

>From krb5-bugs-incoming-bounces at PCH.mit.edu  Fri Dec 11 04:20:52 2009
Return-Path: <krb5-bugs-incoming-bounces at PCH.mit.edu>
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90])
	by krbdev.mit.edu (Postfix) with ESMTP id 0C43ECCA06;
	Fri, 11 Dec 2009 04:20:52 +0000 (UTC)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1])
	by pch.mit.edu (8.13.6/8.12.8) with ESMTP id nBB4KpSA020970;
	Thu, 10 Dec 2009 23:20:51 -0500
Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU
	[18.7.21.83])
	by pch.mit.edu (8.13.6/8.12.8) with ESMTP id nBAKqKYn024748
	for <krb5-bugs-incoming at PCH.mit.edu>; Thu, 10 Dec 2009 15:52:20 -0500
Received: from dmz-mailsec-scanner-7.mit.edu (DMZ-MAILSEC-SCANNER-7.MIT.EDU
	[18.7.68.36])
	by pacific-carrier-annex.mit.edu (8.13.6/8.9.2) with ESMTP id
	nBAKiZRX004448
	for <krb5-bugs at mit.edu>; Thu, 10 Dec 2009 15:52:33 -0500 (EST)
X-AuditID: 12074424-b7cfcae0000068a6-4f-4b215f636431
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28])
	by  (Symantec Brightmail Gateway) with SMTP id DA.E1.26790.36F512B4;
	Thu, 10 Dec 2009 15:51:47 -0500 (EST)
Received: from int-mx03.intmail.prod.int.phx2.redhat.com
	(int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.16])
	by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id nBAKpkhH028603
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK)
	for <krb5-bugs at mit.edu>; Thu, 10 Dec 2009 15:51:46 -0500
Received: from blade.bos.redhat.com (blade.bos.redhat.com [10.16.0.23])
	by int-mx03.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id nBAKpjSp021132
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
	for <krb5-bugs at mit.edu>; Thu, 10 Dec 2009 15:51:46 -0500
Received: from blade.bos.redhat.com (localhost [127.0.0.1])
	by blade.bos.redhat.com (8.14.3/8.14.3) with ESMTP id nBAKqBNj010077
	for <krb5-bugs at mit.edu>; Thu, 10 Dec 2009 15:52:11 -0500
Received: (from nalin at localhost)
	by blade.bos.redhat.com (8.14.3/8.14.3/Submit) id nBAKqBOt010076;
	Thu, 10 Dec 2009 15:52:11 -0500
Date: Thu, 10 Dec 2009 15:52:11 -0500
Message-Id: <200912102052.nBAKqBOt010076 at blade.bos.redhat.com>
To: krb5-bugs at mit.edu
Subject: gss_krb5_copy_ccache() doesn't work with spnego delegation
From: nalin at redhat.com
X-send-pr-version: 3.99
X-Scanned-By: MIMEDefang 2.42
X-Scanned-By: MIMEDefang 2.67 on 10.5.11.16
X-Brightmail-Tracker: AAAAAxIFCWQSBQvfEgUL4A==
X-Spam-Score: 0.55
X-Spam-Flag: NO
X-Mailman-Approved-At: Thu, 10 Dec 2009 23:20:45 -0500
X-BeenThere: krb5-bugs-incoming at mailman.mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
Reply-To: nalin at redhat.com
Sender: krb5-bugs-incoming-bounces at PCH.mit.edu
Errors-To: krb5-bugs-incoming-bounces at PCH.mit.edu


>Submitter-Id:	net
>Originator:	
>Organization:	Red Hat
>Confidential:	no
>Synopsis:	gss_krb5_copy_ccache() doesn't work with spnego delegation
>Severity:	non-critical
>Priority:	medium
>Category:	krb5-libs
>Class:		sw-bug
>Release:	1.7
>Environment:
	
System: Linux blade.bos.redhat.com 2.6.31.6-162.fc12.x86_64 #1 SMP Fri Dec 4 00:06:26 EST 2009 x86_64 x86_64 x86_64 GNU/Linux
Architecture: x86_64

>Description:
	We're seeing problems in mod_auth_kerb with firefox as its client, when
	firefox is configured to delegate credentials and mod_auth_kerb is
	configured to save them to disk.  In these cases, mod_auth_kerb is
	logging this error:

	  Cannot store delegated credential (gss_krb5_copy_ccache: An unsupported mechanism was requested (, Unknown error))

	Firefox is careful to use spnego when it's attempting negotiate auth,
	and other clients which aren't as careful (and which end up sending
	Kerberos tokens) work as expected.

	It looks like gss_krb5_copy_ccache() calls gssspi_set_cred_option()
	with the spnego credential handle, and gssspi_set_cred_option() returns
	GSS_S_BAD_MECH because the spnego mech doesn't provide a function
	for it to use.

>How-To-Repeat:
	Configure a client which uses spnego (such as firefox) to delegate
	credentials to a server which attempts to store delegated creds to
	a Kerberos ccache, and attempt to authenticate to the service.

>Fix:
	This is one possible patch.  It punts a set_cred_option() call down to
	the mechanism for the first credential that we have whose mechanism
	implements a set_cred_option() method.  I'm not sure this is the
	correct fix.  If this is the right fix, we may also need to change
	gssspi_set_cred_option() to keep going if it gets GSS_S_UNAVAILABLE
	back from the mechanism-specific function, but then in cases where
	there are multiple credentials, the mechanism of the first one might
	not be the right one to use anyway.

Index: src/lib/gssapi/spnego/gssapiP_spnego.h
===================================================================
--- src/lib/gssapi/spnego/gssapiP_spnego.h	(revision 23461)
+++ src/lib/gssapi/spnego/gssapiP_spnego.h	(working copy)
@@ -352,6 +352,15 @@
 );
 
 OM_uint32
+spnego_gss_set_cred_option
+(
+	OM_uint32 *minor_status,
+	gss_cred_id_t cred_handle,
+	const gss_OID desired_object,
+	const gss_buffer_t value
+);
+
+OM_uint32
 spnego_gss_set_sec_context_option
 (
	OM_uint32 *minor_status,
Index: src/lib/gssapi/spnego/spnego_mech.c
===================================================================
--- src/lib/gssapi/spnego/spnego_mech.c	(revision 23461)
+++ src/lib/gssapi/spnego/spnego_mech.c	(working copy)
@@ -250,7 +250,7 @@
	spnego_gss_inquire_sec_context_by_oid, /* gss_inquire_sec_context_by_oid */
	spnego_gss_inquire_cred_by_oid,	/* gss_inquire_cred_by_oid */
	spnego_gss_set_sec_context_option, /* gss_set_sec_context_option */
- 	NULL,				/* gssspi_set_cred_option */
+ 	spnego_gss_set_cred_option,	/* gssspi_set_cred_option */
	NULL,				/* gssspi_mech_invoke */
	spnego_gss_wrap_aead,
	spnego_gss_unwrap_aead,
@@ -2186,6 +2186,21 @@
 }
 
 OM_uint32
+spnego_gss_set_cred_option(
+		OM_uint32 *minor_status,
+		gss_cred_id_t cred_handle,
+		const gss_OID desired_object,
+		const gss_buffer_t value)
+{
+	OM_uint32 ret;
+	ret = gssspi_set_cred_option(minor_status,
+				     cred_handle,
+				     desired_object,
+				     value);
+	return (ret);
+}
+
+OM_uint32
 spnego_gss_set_sec_context_option(
		OM_uint32 *minor_status,
		gss_ctx_id_t *context_handle,

More information about the krb5-bugs mailing list