kprop across NAT boundaries (patching privsafe)

Jorj Bauer jorj at temple.edu
Tue Jan 5 11:20:10 EST 2021 

Or not attached, because the list stripped it. Inline:

diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index 9616b24..c1a677c 100644
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -1269,6 +1269,8 @@ struct _krb5_context {

 struct plugin_interface plugins[PLUGIN_NUM_INTERFACES];
 char *plugin_base_dir;
+
+ int skip_address_checks;
 };

 /* could be used in a table to find an etype and initialize a block */
diff --git a/src/kprop/kprop.c b/src/kprop/kprop.c
index 0b53aae..badea9b 100644
--- a/src/kprop/kprop.c
+++ b/src/kprop/kprop.c
@@ -83,7 +83,7 @@ static void update_last_prop_file(char *hostname, char *file_name);
 static void usage()
 {
 fprintf(stderr, _("\nUsage: %s [-r realm] [-f file] [-d] [-P port] "
- "[-s keytab] replica_host\n\n"), progname);
+ "[-s keytab] [-U] replica_host\n\n"), progname);
 exit(1);
 }

@@ -125,7 +125,7 @@ parse_args(krb5_context context, int argc, char **argv)
 krb5_error_code ret;

 progname = argv[0];
- while ((c = getopt(argc, argv, "r:f:dP:s:")) != -1) {
+ while ((c = getopt(argc, argv, "r:f:dP:s:U")) != -1) {
 switch (c) {
 case 'r':
 realm = optarg;
@@ -142,6 +142,11 @@ parse_args(krb5_context context, int argc, char **argv)
 case 's':
 keytab_path = optarg;
 break;
+ case 'U':
+ if (debug)
+ fprintf(stderr, "disabling address checking\n");
+ context->skip_address_checks = 1;
+ break;
 default:
 usage();
 }
diff --git a/src/kprop/kpropd.c b/src/kprop/kpropd.c
index 5622d56..d1ade0f 100644
--- a/src/kprop/kpropd.c
+++ b/src/kprop/kpropd.c
@@ -171,7 +171,7 @@ usage()
 progname);
 fprintf(stderr, _("\t[-F kerberos_db_file ] [-p kdb5_util_pathname]\n"));
 fprintf(stderr, _("\t[-x db_args]* [-P port] [-a acl_file]\n"));
- fprintf(stderr, _("\t[-A admin_server] [--pid-file=pid_file]\n"));
+ fprintf(stderr, _("\t[-A admin_server] [--pid-file=pid_file] [-U]\n"));
 exit(1);
 }

@@ -1059,7 +1059,7 @@ parse_args(int argc, char **argv)
 }

 progname = argv[0];
- while ((c = getopt_long(argc, argv, "A:f:F:p:P:r:s:DdSa:tx:",
+ while ((c = getopt_long(argc, argv, "A:f:F:p:P:r:s:DdSa:tx:U",
 long_options, NULL)) != -1) {
 switch (c) {
 case 'A':
@@ -1112,6 +1112,11 @@ parse_args(int argc, char **argv)
 db_args[db_args_size + 1] = NULL;
 db_args_size++;
 break;
+ case 'U':
+ if (debug)
+ fprintf(stderr, "disabling address checking\n");
+ kpropd_context->skip_address_checks = 1;
+ break;
 case PID_FILE:
 pid_file = optarg;
 break;

diff --git a/src/lib/krb5/krb/privsafe.c b/src/lib/krb5/krb/privsafe.c
index 9ba41dd..5ab6bbf 100644
--- a/src/lib/krb5/krb/privsafe.c
+++ b/src/lib/krb5/krb/privsafe.c
@@ -317,6 +317,18 @@ k5_privsafe_check_addrs(krb5_context context, krb5_auth_context ac,
 const krb5_address *local_addr, *remote_addr;
 krb5_address local_fulladdr, remote_fulladdr;

+ /* Temporary (?) hack so that callers can decide whether or not
+ * address validation is important in their individual context;
+ * for example, kprop across NAT boundaries must ignore address
+ * checks bidirectionally if it wants to succeed at all, and the
+ * address check is of questionable value in that context; so
+ * kprop/kpropd should be able to decide that they want to skip
+ * this... */
+ if (context->skip_address_checks) {
+ return 0;
+ }
+
+
 local_fulladdr.contents = remote_fulladdr.contents = NULL;

 /* Determine the remote comparison address. */
On Jan 5, 2021, 11:18 AM -0500, Jorj Bauer <jorj at temple.edu>, wrote:
Because the privsafe protocol bakes in the source and destination address and port, it’s not possible to run kprop through layers of NAT (without doing something that undoes the damage NAT does). In particular, I’m finding this to be one of the problems with being able to run Kerberos “for real” inside Kubernetes, where we have an F5 fronting multiple k8s clusters, whose ingresses fan out traffic to multiple pods inside each.

I saw a discussion on this list between 2015 and Janaury 2020, in which a brief discussion about the importance of the address in the privsafe discussion for kpropd culminated in (paraphrasing) “it doesn’t look like the address is important for this use case”.

Attached is a patch against 1.18.3 that lets kprop and kpropd specify a command line flag (“-U”) to allow unverified addresses to work. It’s a deeper hack than I would have liked, but given the current abstraction of privsafe (and the way it’s embedded in it) it seemed the cleanest approach.

Thoughts welcome. I’d love to see some solution to this problem make it in to a release in 2021, whether it’s this approach or not; if there are other approaches folks think are better, I’m all ears...

— j


_______________________________________________
krbdev mailing list krbdev at mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev

More information about the krbdev mailing list