support authentication indicators in GSSAPI #500
Conversation
|
All failures seem to be about |
|
This looks pretty reasonable but I don't think any of the active developers have the GSSAPI knowledge to review the GSSAPI bits of this change. We'll have to find someone with more experience to look at it. |
|
@djmdjm I am one of FreeIPA, SSSD, and Samba developers and contribute to MIT Kerberos as well. This code is based on my indicators work for SSSD's If you want more external eyes, I can ask my fellow Red Hat colleagues who maintain OpenSSH and wrote GSSAPI code in past too. |
|
I'm working on libssh, MIT Kerberos and Samba. I can review the GSSAPI bits. |
|
Patch looks good to me. |
| if (*matched) { | ||
| return (1 - denial); | ||
| } | ||
| } |
There was a problem hiding this comment.
Rewrote to use match_pattern_list. This forced a change in the way how a rule is presented, though not too different:
GSSAPIIndicators [!]name1,[!]name2,...
Where a negation would mean a denial to the presence of the indicator.
A result is that a rule like
GSSAPIIndicators !hardened,pkinit,idp,passkey,otp
would only allow access with passwordless pre-authentication method in FreeIPA (either using smartcards, external IdP authentication, FIDO2 token or TOTP/HOTP token).
This simplifies a bit both configuration part and matching rule.
There was a problem hiding this comment.
I added this as a fixup on top of the original commit to show the difference. Let me know if this is better one. I also would like to add it to Match handling so that one could have per-group or per-user indicator rules. Let me know if this would be useful.
There was a problem hiding this comment.
@abbra added one comment inline with one more potential issue.
We are now working with a GSoC student to implement test coverage for libssh and GSSAPI authentication in https://gitlab.com/libssh/libssh-mirror/-/merge_requests/490
I think it would be great if something similar could be in OpenSSH upstream testsuite, which could land a test for this functionality. Let me know if you would find it useful. If so, we can try to help contribute something similar.
gss-serv.c
Outdated
| if (strncmp(AUTH_INDICATORS_TAG, | ||
| attrs->elements[i].value, | ||
| sizeof(AUTH_INDICATORS_TAG) - 1) != 0) |
There was a problem hiding this comment.
Is the indicator guaranteed to be NULL terminated to be safely comparable with strncmp when it will be shorter than the name we look for? I see in the header of this function that it should be utf8, which might imply this, but I would rather be safe to make sure we do not go behind the buffer boundary.
Additionally, are there any prefix names? The way how it is written matches just the non-null characters, which could theoretically match attributes such as auth-indicators-something if I see right.
There was a problem hiding this comment.
Yes, indicators are UTF-8 strings and encoded so in the tickets, according to RFC 8129 (sequence of utf8string ASN.1 encoding, to be precise). In both Heimdal and MIT Kerberos any ASN.1-encoded utf8string is converted into a nul-terminated string.
As for the prefixes, you might be right that we should do exact comparison and not the prefixed one. There is nothing stopping a KDC to send another name attributes that start with auth-indicators- prefix although nothing is done like that today.
|
I updated the code to follow recent discussions. Let me know whether this is all fine for merge. I have recorded a demo here: https://www.youtube.com/watch?v=OauHdZYKGKk. This demo shows the use of In the demo, first we attempt to access as |
|
I have been on vacation for past few weeks so may be I missed something... |
|
This code looks good to me after the changes I've requested are done and we are interested in having it upstream. |
abbra
force-pushed
the
gssapi-indicators
branch
from
cc9109d
to
7a0bab8
Compare
RFC 6680 defines a set of GSSAPI extensions to handle attributes associated with the GSSAPI names. MIT Kerberos and FreeIPA use name attributes to add information about pre-authentication methods used to acquire the initial Kerberos ticket. The attribute 'auth-indicators' may contain list of strings that KDC has associated with the ticket issuance process. Use authentication indicators to authorise or deny access to SSH server. GSSAPIIndicators setting allows to specify a list of possible indicators that a Kerberos ticket presented must or must not contain. More details on the syntax are provided in sshd_config(5) man page. Fixes: https://bugzilla.mindrot.org/show_bug.cgi?id=2696 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
RFC 6680 defines a set of GSSAPI extensions to handle attributes associated with the GSSAPI names. MIT Kerberos and FreeIPA use name attributes to add information about pre-authentication methods used to acquire the initial Kerberos ticket. The attribute 'auth-indicators' may contain list of strings that KDC has associated with the ticket issuance process.
Use authentication indicators to authorise or deny access to SSH server. GSSAPIIndicators setting allows to specify a list of possible indicators that a Kerberos ticket presented must or must not contain. More details on the syntax are provided in sshd_config(5) man page.
Fixes: https://bugzilla.mindrot.org/show_bug.cgi?id=2696