Current semantics for channel-bindings in GSSAPI

Isaac Boukris iboukris at gmail.com
Tue Mar 10 12:18:46 EDT 2020 

On Tue, Mar 10, 2020 at 4:54 PM Stefan Metzmacher <metze at samba.org> wrote:
>
> Am 10.03.20 um 16:34 schrieb Isaac Boukris:
> > On Tue, Mar 10, 2020 at 4:23 PM Stefan Metzmacher <metze at samba.org> wrote:
> >>
> >> Hi Issac,
> >>
> >>> As discussed last week, we want the following changes.
> >>>
> >>> - MIT should match Heimdal behavior and only error if client bindings
> >>> are not all zeros.
> >>> - Both Heimdal/MIT should return channel-bound flag if the bindings did match.
> >>> - Both Heimdal/MIT should take advantage of KERB_AP_OPTIONS_CBT if
> >>> present if authenticator, in which case if the server passed bindings
> >>> they must match.
> >>> - Both Heimdal/MIT should provide a conf option to asset the client
> >>> system supports channel-bindings, causing KERB_AP_OPTIONS_CBT to be
> >>> sent in any ap-req.
> >>>
> >>> I submitted wip PR #1047 upstream MIT based on the above.
> >>>
> >>> @metze, would that satisfy samba's requirements?
> >>
> >> I looked briefly and the core changes look good,
> >> but (as always :-) I think krb5.conf option alone are unflexible
> >> and I'd really like to get rid of autogenerated krb5.conf files and
> >> global exporting "KRB5_CONFIG". So APIs to turn this on from the
> >> application would be great.
> >
> > Ok, so we'd need a new cred-option to override it by the application.
>
> If we can agree on a way to implement that:-)
>
> Using gss_set_cred_option() would be the simplest solution,
> but it got rejected for GSS_KRB5_CRED_NO_TRANSIT_CHECK_X.
> Passing cred_store to gss_acquire_cred_from() would also work
> and I'm not sure if/how gss_create_sec_context() +
> gss_set_sec_context_option() would work.
>
> gss_set_sec_context_option() would be the most flexible way
> and may be useful for more things I plan to implement.

Honestly I'd say we can start with the krb5.conf option, I think it
has value anyway as it allows to protect applications system-wide
without the need to update them. Then eventually, use cred/context
options to override it, as we decide.

btw, as mentioned "off-list" Windows seem to skip channel-bindings
check if the client omits the checksum altogether, even in level=2. I
think it is a bug, and we shouldn't return channel-bound flag it that
case.

More information about the krbdev mailing list