IETF Logo Mail Archive

Re: [kitten] rpcsec-gssv3 multi-principal authentication

Benjamin Kaduk <kaduk@mit.edu> Wed, 03 September 2014 20:52 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F3C61A6FD4; Wed, 3 Sep 2014 13:52:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.869
X-Spam-Level:
X-Spam-Status: No, score=-4.869 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.668, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s6RdKV-hvGEv; Wed, 3 Sep 2014 13:52:46 -0700 (PDT)
Received: from dmz-mailsec-scanner-7.mit.edu (dmz-mailsec-scanner-7.mit.edu [18.7.68.36]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 978B01A06E0; Wed, 3 Sep 2014 13:51:57 -0700 (PDT)
X-AuditID: 12074424-f79346d000004923-87-54077f6bd381
Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) (using TLS with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-7.mit.edu (Symantec Messaging Gateway) with SMTP id 49.D9.18723.B6F77045; Wed, 3 Sep 2014 16:51:55 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id s83Kpsdb004731; Wed, 3 Sep 2014 16:51:55 -0400
Received: from multics.mit.edu (system-low-sipb.mit.edu [18.187.2.37]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id s83Kpq0O001912 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 3 Sep 2014 16:51:54 -0400
Received: (from kaduk@localhost) by multics.mit.edu (8.12.9.20060308) id s83Kpqme026440; Wed, 3 Sep 2014 16:51:52 -0400 (EDT)
Date: Wed, 03 Sep 2014 16:51:51 -0400
From: Benjamin Kaduk <kaduk@mit.edu>
To: "Adamson, Andy" <William.Adamson@netapp.com>
In-Reply-To: <7F59B011-C2A7-4222-80A9-5FDC49901145@netapp.com>
Message-ID: <alpine.GSO.1.10.1409031642540.21571@multics.mit.edu>
References: <DC941FEB-725A-49E1-8C38-FF765454827C@netapp.com> <20140730163006.GG26316@fieldses.org> <alpine.GSO.1.10.1407311902230.21571@multics.mit.edu> <9BF7E3EA-59DB-4B91-A27A-659790AED727@netapp.com> <alpine.GSO.1.10.1408030153400.21571@multics.mit.edu> <alpine.GSO.1.10.1408201123060.21571@multics.mit.edu> <alpine.GSO.1.10.1409021306240.21571@multics.mit.edu> <7F59B011-C2A7-4222-80A9-5FDC49901145@netapp.com>
User-Agent: Alpine 1.10 (GSO 962 2008-03-14)
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="-559023410-102982122-1409777512=:21571"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprMKsWRmVeSWpSXmKPExsUixG6nrptdzx5i0PNS3eLo5lUsFrPfP2K1 mL7IyoHZY8mSn0weMz59YQtgiuKySUnNySxLLdK3S+DKmLs2omCKTMWkWU/ZGxi3inUxcnJI CJhIHOl5yAZhi0lcuLceyObiEBKYzSSxZMIUZpCEkMAGRomJfUUQiYNMEm/mfWOHSNRLfH63 BKybRUBLov/DfBYQm01ARaKh+zJQMweHiICBxMalqiBhZgF7iZ5dr8DKhQUsJB5OWwQ2n1PA TuLd37dgI3kFHCUu7/nEDLFrIbPEj+kXWEESogI6Eqv3T2GBKBKUODnzCQvE0ACJCd8nM09g FJyFJDULSQrC1pO4NbsTytaWuH+zjW0BI8sqRtmU3Crd3MTMnOLUZN3i5MS8vNQiXXO93MwS vdSU0k2M4PB2UdnB2HxI6RCjAAejEg+vhx9biBBrYllxZe4hRkkOJiVR3qZa9hAhvqT8lMqM xOKM+KLSnNTiQ4wSHMxKIrw1IDnelMTKqtSifJiUNAeLkjjvW2urYCGB9MSS1OzU1ILUIpis DAeHkgSvYx1Qo2BRanpqRVpmTglCmomDE2Q4D9BwsBre4oLE3OLMdIj8KUZdjnWd3/qZhFjy 8vNSpcR5hUGKBECKMkrz4ObA0tIrRnGgt4R57UCqeIApDW7SK6AlTEBL3HJYQZaUJCKkpBoY J5g9ZIp2N/3Bc+L7s+brZZN/2Bqm7yrdlGfeL2Fvy1xwcekEy93lBb7mi/5vKsvKD9kpdoTl 0QVG/cNPK/xDwiOWTin/+XXR7QlLYnVUr53ivloedTJAwtLthk3vvtNek4Lvrpzzsa6qWotB geuEfWvQmw3zORk/xR9cfu6Vd0HbyxR2TyVJJZbijERDLeai4kQAnXoxLyYDAAA=
Archived-At: http://mailarchive.ietf.org/arch/msg/kitten/ZhHk-y45v71epjEMW-rhtaZZUog
Cc: "kitten@ietf.org" <kitten@ietf.org>, NFSv4 <nfsv4@ietf.org>
Subject: Re: [kitten] rpcsec-gssv3 multi-principal authentication
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Sep 2014 20:52:48 -0000

On Wed, 3 Sep 2014, Adamson, Andy wrote:

>
> On Sep 2, 2014, at 1:13 PM, Benjamin Kaduk <kaduk@MIT.EDU> wrote:
>
> Hi Ben
>
> Vacation. Thanks for the review. Comments inline...

Ah, understood.  Hope it was relaxing :)

>
> draft-08 section 2.6.1.1.  Multi-principal Authentication
>
>    RPCSEC_GSSv3 clients MAY assert a multi-principal authentication of
>    the client host principal and a user principal.  This feature is
>    needed, for example, when a client wishes to use authority assertions
>    that the server may only grant if a user and a client are
>    authenticated together to the server.  Thus a server may refuse to
>    grant requested authority to a user acting alone (e.g., via an
>    unprivileged user-space program), or to a client acting alone (e.g.
>    when a client is acting on behalf of a user) but may grant requested
>    authority to a client acting on behalf of a user if the server
>    identifies the user and trusts the client.
>
>    It is assumed that an unprivileged user-space program would not have
>    access to client host credentials needed to establish a GSS-API
>    security context authenticating the client to the server, therefore
>    an unprivileged user-space program could not create an RPCSEC_GSSv3
>    RPCSEC_GSS_CREATE message that successfully binds a client and a user
>    security context.
>
> I believe the above last paragraph addresses this issue.  Do we need to
> make this section stronger, or perhaps clarify?
>
> Indeed, an attacker that has it’s own parent RPCSEC context ( e.g. a
> proveable client machine-credential context ) can have her way.
>
> This is nothing new as an attacker with such a context has ‘root’ for
> that machine in the RPCSEC world and can do a whole bunch of mischief :)

I'm not considering the same machine; I'm thinking about a different
machine.  Maybe I can be more clear with an explicit example using NFS,
instead of talking about rpcsec-gss in the abstract.

Alice is a mortal user on machine A, and machine A runs an NFS client.
Machine A has its secure host-specific credentials (nfs/A@REALM or
host/A@REALM or whatever), and Alice has credentials for alice@REALM.
Eve doesn't even have an account on machine A, but has root on machine B,
which also has host-specific credentials (host/B@REALM), and Eve can spy
on the NFS traffic between A and the NFS server (call it S).
A's NFS client has to do an RPCSEC_GSS_CREATE RPC to be able to act as
Alice.  My claim is that Eve can see the network traffic from that RPC
(just the request; the reply should not be needed), and use an evil NFS
client on her machine B, to make her own RPCSEC_GSS_CREATE request, that
contains the same rca_mp_auth field as the RPC from A, and with the result
of that RPC, Eve's NFS client has an rpcsec-gss context handle that lets
Eve read and write files as alice@REALM.


> That said, I suppose we could replace the nonce with the
> RPCSEC_GSS_CREATE reply verifier data and prevent such an attacker from
> acting on behalf of a user.

Hmm, if the verifier is signed using the outer context's GSS context, that
might be enough to produce the required binding.  I would need to think
about it more.

-Ben

v2.29.0 | Report a Bug | By Email | System Status