Current semantics for channel-bindings in GSSAPI
Isaac Boukris
iboukris at gmail.com
Fri Feb 28 08:58:00 EST 2020
To follow up on the KERB_AP_OPTIONS_CBT ad-element, (partly)
documented in MS-KILE, 3.2.5.8 AP Exchange, and 3.4.5.
I was able to confirm that Windows would enforce channel-bindings (not
allow all zeroes), when I add this ad-element in the MIT client code I
get an error, while it works when I do pass the CB, even with level 2
(using "tls-server-end-point" from rfc 5056).
https://github.com/iboukris/krb5/commit/1897f9a65a79587209b14d1e6cb584dfc2cf2138
$ LD_LIBRARY_PATH=/usr/local/lib /usr/local/bin/ldapsearch -h
adc.acme.com -b dc=acme,dc=com cn=administrator -Y GSSAPI -N -O
maxssf=0 -ZZ
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind: Invalid credentials (49)
additional info: 80090346: LdapErr: DSID-0C090569, comment:
AcceptSecurityContext error, data 80090346, v4563
btw, these are the openldap/cyrus wip branches I test with:
https://github.com/iboukris/openldap/commits/gssapi_cbind
https://github.com/iboukris/cyrus-sasl/commits/sasl_gssapi_cbt
Hacked MIT client code:
authenticator
authenticator-vno: 5
crealm: SMB.NET
cname
cksum
cusec: 233908
ctime: 2020-02-28 13:14:45 (UTC)
subkey
seq-number: 758067575
authorization-data: 1 item
AuthorizationData item
ad-type: AD-IF-RELEVANT (1)
ad-data: 3010300ea0040202008fa106040400400000
AuthorizationData item
ad-type: AD-AP-OPTIONS (143)
ad-data: 00400000
AD-AP-Options: 0x00004000, ChannelBindings
.... .... .... .... .1.. .... .... .... =
ChannelBindings: Set
Windows client:
authenticator
authenticator-vno: 5
crealm: SMB.NET
cname
cksum
cksumtype: cKSUMTYPE-GSSAPI (32771)
checksum: 100000009e41a51ed7c90b3597bc7217c4d3c41e02400000
Length: 16
Bnd: 9e41a51ed7c90b3597bc7217c4d3c41e
.... .... .... .... ...0 .... .... .... = DCE-style: Not using DCE-STYLE
.... .... .... .... .... .... ..0. .... = Integ: Do NOT use
integrity protection
.... .... .... .... .... .... ...0 .... = Conf: Do NOT use
Confidentiality (sealing)
.... .... .... .... .... .... .... 0... = Sequence: Do NOT
enable out-of-sequence detection
.... .... .... .... .... .... .... .0.. = Replay: Do NOT
enable replay protection
.... .... .... .... .... .... .... ..1. = Mutual: Request that
remote peer authenticates itself
.... .... .... .... .... .... .... ...0 = Deleg: Do NOT delegate
cusec: 73
ctime: 2020-02-26 18:24:27 (UTC)
subkey
seq-number: 2072188652
authorization-data: 1 item
AuthorizationData item
ad-type: AD-IF-RELEVANT (1)
ad-data:
3081a9303fa0040202008da137043530333031a003020100a12a04280000000000300000…
AuthorizationData item
ad-type: AD-TOKEN-RESTRICTIONS (141)
ad-data:
30333031a003020100a12a04280000000000300000f450fe871880d38a409147a4f8e2d7…
restriction-type: 0
restriction:
0000000000300000f450fe871880d38a409147a4f8e2d79a2107498eaab6449f374a2ec1…
AuthorizationData item
ad-type: AD-LOCAL (142)
ad-data: b0b55b71c9010000876ec90000000000
AuthorizationData item
ad-type: AD-AP-OPTIONS (143)
ad-data: 00400000
AD-AP-Options: 0x00004000, ChannelBindings
.... .... .... .... .1.. .... .... .... =
ChannelBindings: Set
AuthorizationData item
ad-type: AD-TARGET-PRINCIPAL (144)
ad-data:
6c006400610070002f007300640063002e0073006d0062002e006e006500740040005300…
Target Principal: ldap/sdc.smb.net at SMB.NET
More information about the krbdev
mailing list