Creating a new pre-authentication plugin

Greg Hudson ghudson at MIT.EDU
Wed Aug 1 16:09:44 EDT 2012

On 08/01/2012 03:03 PM, Alejandro Perez Mendez wrote:
>> Accepting pointer values from
>> the client would open up the KDC to memory attacks.
> Again, that's a matter of implementation.

Yes, but we know what our implementation is, and it uses pointer values.

> Anyway, IMO that kind of memory attacks (i.e. context does not exists)
> SHOULD be handled at a GSS-API level.

As far as I'm aware, there's no good way to do this in a library GSSAPI
implementation.  Back before we had a mechglue, we used to have a table
of valid pointer values, but that required global synchronization for
every GSSAPI call.

>> The KDC would also need some way to release abandoned GSSAPI handles.

> Yes, this would be the more problematic issue. I need to figure out how
> to solve this. But, just asking, isn't it a problem that GSS-API
> implementation has to deal with?

No, or there wouldn't need to be gss_release_ functions.

>> Second, sending two requests on the same UDP socket does not guarantee
>> that the same KDC process handles them.  There could be multiple worker
>> processes serving the same socket (see the man page documentation of
>> krb5kdc -w), or there could be a network element (like an F5)
>> distributing requests on the same IP and port to different real KDC
>> hosts.

> Again, just asking, wouldn't these workers share the same GSS-API memory
> space? Wouldn't mech_glue be the same for all of them?

No, in both cases.  KDC worker processes have distinct address spaces,
and of course if a network element is distributing requests to different
real KDC hosts, they will have distinct address spaces by virtue of
being on different machines.

More information about the krbdev mailing list