[SPKM] Re: Comments on draft-zhu-pku2u-01.txt
Martin Rex <martin.rex@sap.com> Mon, 26 March 2007 22:44 UTC
Return-path: <spkm-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HVxvW-0006rM-5a; Mon, 26 Mar 2007 18:44:34 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HVxvU-0006rE-BR; Mon, 26 Mar 2007 18:44:32 -0400
Received: from smtpde03.sap-ag.de ([155.56.68.140]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HVxvS-0004QA-Tr; Mon, 26 Mar 2007 18:44:32 -0400
Received: from sap-ag.de (smtpde03) by smtpde03.sap-ag.de (out) with ESMTP id AAA12475; Tue, 27 Mar 2007 00:44:25 +0200 (MESZ)
From: Martin Rex <martin.rex@sap.com>
Message-Id: <200703262244.AAA15435@uw1048.wdf.sap.corp>
To: jhutz@cmu.edu
Date: Tue, 27 Mar 2007 00:44:24 +0200
In-Reply-To: <40487DBDE3B881E9262059DA@sirius.fac.cs.cmu.edu> from "Jeffrey Hutzelman" at Mar 26, 7 02:18:12 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-SAP: out
X-SAP: out
X-SAP: out
X-SAP: out
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 73734d43604d52d23b3eba644a169745
Cc: kitten@lists.ietf.org, andros@citi.umich.edu, Michael.Eisler@netapp.com, spkm@ietf.org, jhutz@cmu.edu
Subject: [SPKM] Re: Comments on draft-zhu-pku2u-01.txt
X-BeenThere: spkm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: martin.rex@sap.com
List-Id: Low Infrastructure Public Key GSS mechanism <spkm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/spkm>, <mailto:spkm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/spkm>
List-Post: <mailto:spkm@ietf.org>
List-Help: <mailto:spkm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/spkm>, <mailto:spkm-request@ietf.org?subject=subscribe>
Errors-To: spkm-bounces@ietf.org
Jeffrey Hutzelman wrote: > > On Monday, March 19, 2007 04:25:34 PM +0100 Martin Rex <martin.rex@sap.com> > wrote: > > > There seems to be text describing a backward incompatible change in > > rfc-4121 last paragraph of section 4.1, (top of page 5) which > > allows such misbehaviour for the specific case of an unknown token ID: > > > > If an unknown token identifier (TOK_ID) is received in the initial > > context establishment token, the receiver MUST return > > GSS_S_CONTINUE_NEEDED major status, and the returned output token > > MUST contain a KRB_ERROR message with the error code > > KRB_AP_ERR_MSG_TYPE [RFC4120]. > > That looks to me like an error in RFC4121. Clearly the status in this case > should not be GSS_S_CONTINUE_NEEDED. In principle, such an extension would be OK, provided that the spec was sufficiently clear to provide a fallback continuation of the security context handshake. Compliant gss-api mechanisms are not normally sending context tokens with an unknown TOK_ID, so this change should --in theory-- not break existing conforming implementations. I don't remember that such a change was ever discussed, and I consider it significantly underspecified and hidden. > > > SSPI has been returning KRB_ERROR tokens along with CONTINUE_NEEDED > > status from the beginning, in an undocumented/unspecified fashion, > > non-interoperable with rfc-1964 based Kerberos implementations. > > Oh, it interoperates, because initiators respond to the KRB-ERROR by > returning an error, so the application gives up and never sends a token > back. I know that the KRB_ERROR token is part of rfc1964 and understood by rfc1964 peers, but that is not what I meant. The interoperability that I was refering to was not the indication of an error, but the attempt of recovery that Microsoft has built into their Kerberos SSP and for which the CONTINUE_NEEDED is necessary. Microsoft's Kerberos SSP will perform a second attempt to establish the security context on the same security context handle with another token exchange--and on this feature the other Kerberos 5 implementations will likely not interoperate (because it is not standardized anywhere). > The problem is that returning GSS_S_CONTINUE_NEEDED in this case is > likely to confuse a GSS-API application on the acceptor side, because it > expects to receive another token from the client. OTOH, since you're > describing the behavior of SSPI, not GSS-API, and CONTINUE_NEEDED is an API > construct, this situation is perfectly fine -- SSPI can establish different > (even broken) semantics for its applications, They can and they do use semantics for SSPI that differ from GSS-API, but that makes them non-conforming to rfc-1964/rfc-4121. (they still use the same wire-format, but the GSS-API standard includes API semantics, not just mechanism wire-format. > An API translation module > such as the one you maintain will have to deal. I'd assume you would do > this by "knowing" when the mechanism is Kerberos, peeking inside the token, > and turning GSS_S_CONTINUE_NEEDED into something else if the token is a > KRB-ERROR token. Ugly, but perhaps necessary. Yup, that's what it will have to do. My wrapper is currently limited to rfc-1964 Kerberos, so it aborts on user2user context establishment tokens and aborts with an error when AcceptSecurityContext returns CONTINUE_NEEDED (because rfc-1964 is limited to 1- and 2-token context establishment handshakes). Another interoperability problem with Microsoft Kerberos is the security context lifetime limit required by rfc-1964. When Microsoft tried to activate that in Windows 2000 beta3 hell broke loose because none of their applications could handle expiring security contexts. So they deliberately ignore it. My gssapi wrapper adds this back in, so that you have consistent behaviour within the entire Kerberos5 infrastructure. -Martin _______________________________________________ SPKM mailing list SPKM@ietf.org https://www1.ietf.org/mailman/listinfo/spkm
- [SPKM] FW: I-D ACTION:draft-zhu-pku2u-01.txt Liqiang(Larry) Zhu
- [SPKM] Re: Comments on draft-zhu-pku2u-01.txt Olga Kornievskaia
- [SPKM] RE: Comments on draft-zhu-pku2u-01.txt Jeffrey Hutzelman
- [SPKM] Re: Comments on draft-zhu-pku2u-01.txt Jeffrey Hutzelman
- [SPKM] RE: Comments on draft-zhu-pku2u-01.txt Liqiang(Larry) Zhu
- [SPKM] RE: Comments on draft-zhu-pku2u-01.txt Liqiang(Larry) Zhu
- [SPKM] Re: Comments on draft-zhu-pku2u-01.txt Nicolas Williams
- [SPKM] RE: Comments on draft-zhu-pku2u-01.txt Liqiang(Larry) Zhu
- [SPKM] RE: Comments on draft-zhu-pku2u-01.txt Jeffrey Hutzelman
- [SPKM] Re: Comments on draft-zhu-pku2u-01.txt Nicolas Williams
- [SPKM] Re: Comments on draft-zhu-pku2u-01.txt Jeffrey Hutzelman
- [SPKM] RE: Comments on draft-zhu-pku2u-01.txt Liqiang(Larry) Zhu
- [SPKM] RE: Comments on draft-zhu-pku2u-01.txt Jeffrey Hutzelman
- [SPKM] RE: Comments on draft-zhu-pku2u-01.txt Liqiang(Larry) Zhu
- [SPKM] Re: Comments on draft-zhu-pku2u-01.txt Martin Rex
- [SPKM] Re: Comments on draft-zhu-pku2u-01.txt Martin Rex
- Re: [SPKM] RE: Comments on draft-zhu-pku2u-01.txt Sam Hartman
- [SPKM] Re: Comments on draft-zhu-pku2u-01.txt Martin Rex
- [SPKM] Re: Comments on draft-zhu-pku2u-01.txt Martin Rex
- [SPKM] Re: Comments on draft-zhu-pku2u-01.txt Martin Rex
- Re: [SPKM] RE: Comments on draft-zhu-pku2u-01.txt Martin Rex
- [SPKM] Re: Comments on draft-zhu-pku2u-01.txt Olga Kornievskaia
- Re: [SPKM] Re: Comments on draft-zhu-pku2u-01.txt Olga Kornievskaia
- [SPKM] Re: FW: I-D ACTION:draft-zhu-pku2u-01.txt Olga Kornievskaia
- [SPKM] RE: FW: I-D ACTION:draft-zhu-pku2u-01.txt Liqiang(Larry) Zhu
- [SPKM] Re: FW: I-D ACTION:draft-zhu-pku2u-01.txt Olga Kornievskaia
- [SPKM] Re: Comments on draft-zhu-pku2u-01.txt Jeffrey Hutzelman
- Re: [SPKM] RE: Comments on draft-zhu-pku2u-01.txt Jeffrey Hutzelman
- [SPKM] Re: Comments on draft-zhu-pku2u-01.txt Jeffrey Hutzelman
- [SPKM] Re: Comments on draft-zhu-pku2u-01.txt Martin Rex
- [SPKM] Re: FW: I-D ACTION:draft-zhu-pku2u-01.txt Olga Kornievskaia
- Re: [SPKM] Re: FW: I-D ACTION:draft-zhu-pku2u-01.… Nicolas Williams
- RE: [SPKM] Re: FW: I-D ACTION:draft-zhu-pku2u-01.… Liqiang(Larry) Zhu
- Re: [SPKM] Re: FW: I-D ACTION:draft-zhu-pku2u-01.… Martin Rex
- Re: [SPKM] Re: FW: I-D ACTION:draft-zhu-pku2u-01.… Nicolas Williams
- Re: [SPKM] Re: FW: I-D ACTION:draft-zhu-pku2u-01.… Martin Rex
- Re: [SPKM] Re: FW: I-D ACTION:draft-zhu-pku2u-01.… Nicolas Williams
- Re: [SPKM] Re: FW: I-D ACTION:draft-zhu-pku2u-01.… Martin Rex
- Re: [SPKM] Re: FW: I-D ACTION:draft-zhu-pku2u-01.… Nicolas Williams
- Re: [SPKM] Re: FW: I-D ACTION:draft-zhu-pku2u-01.… Martin Rex
- Re: [SPKM] Re: FW: I-D ACTION:draft-zhu-pku2u-01.… Nicolas Williams
- Re: [SPKM] Re: FW: I-D ACTION:draft-zhu-pku2u-01.… Martin Rex