Groups | Search | Server Info | Login | Register
Groups > comp.protocols.kerberos > #5358
| Path | csiph.com!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail |
|---|---|
| From | Simo Sorce <simo@redhat.com> |
| Newsgroups | comp.protocols.kerberos |
| Subject | Re: Why do "strict acceptor checking"? |
| Date | Tue, 08 Oct 2024 10:04:12 -0400 |
| Organization | Red Hat |
| Lines | 45 |
| Message-ID | <mailman.129.1728396265.2322.kerberos@mit.edu> (permalink) |
| References | <202410080023.4980NSGB010697@hedwig.cmf.nrl.navy.mil> <6eex7zf7qp5sid5z6kzeqg762fs5acmo3jz7lbiwinmapayyy3@4sr7binjgjrq> <202410081342.498DgtxB017212@hedwig.cmf.nrl.navy.mil> <f37de56c4c7c3754fba76bca6c911a255a435c44.camel@redhat.com> |
| Mime-Version | 1.0 |
| Content-Type | text/plain; charset="UTF-8" |
| Content-Transfer-Encoding | 8bit |
| Injection-Info | tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50"; logging-data="21963"; mail-complaints-to="newsmaster@tnetconsulting.net" |
| User-Agent | Evolution 3.52.4 (3.52.4-1.fc40) |
| Cc | kerberos@mit.edu |
| To | Ken Hornstein <kenh@cmf.nrl.navy.mil>, "Roland C. Dowdeswell" <elric@imrryr.org> |
| DKIM-Filter | OpenDKIM Filter v2.11.0 unknown-host (unknown-jobid) |
| Authentication-Results | mailman.mit.edu; dkim=pass (1024-bit key, unprotected) header.d=mitprod.onmicrosoft.com header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256 header.s=selector2-mitprod-onmicrosoft-com header.b=jFv30d4a; dkim=pass (1024-bit key, unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=fHzAhSNE |
| ARC-Seal | i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=NgKbWfLjRVWAZEvpY96UaOdPOA5nm+JOh1kTt0eqw5XYMNf4noy92eOP0G5PkWmxFZQ5nlro3IrWCzfzH5bupDmtW4jXUrQPnXHtJtsDh5HRHhrmoCC8J+4vt4AvJ2HZBHQWiUg3YkDl29Ph9O7DhuXY3aB5l439zFmG6udOv4o47R2Ql4ivfIn7Lnvk1JCb41na58klBdjAAwlwQmamorRzKLkFr0Dew0eR0c5TABVCasBu9z4MSA3sTs3QhhNVxwmEypC+n1yUU/0baMY8RVnlKp3MgiyK3RsUhuJgcL2EKgILGjZEeJ2Cc+23+5ggITEpZPE+AwYs8VwEZ/If2Q== |
| ARC-Message-Signature | i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=yBk14ykMQ0C1yYL6bwMO+dTbi+9ICnccg5tw4+fzqHk=; b=naR68OtNjaGNKnUkAJcY0Kb24Qr2aMfWuxoWY5HOU6Uhn//rlFgzlNSQYUt3Ll8bwUe3MhQJE90tnt2ILT+NCrJ+4LMviilvQUPjnuTEQVk4xqSItEnxnUxMTqXo4ygMDwK4pg2A3PxJNeF1iMdQxbaUU+2ZuaVeCiqUXYemSKNUG+QIm8UaaWNN6+QfpA9j2bpH4er7havjs/PWnR7FDxQPIhMiNykDGDy/PxAxWSLs6TxGc4HRMMkf73BKD02zu7vM3uGrwrfGfb2KPGAubx0Z+na8sybp/iWHxkx9rdb34eE0WYCTT0pqnTB7MFJEqjua6AUA3H3j3YNMVP0Stw== |
| ARC-Authentication-Results | i=1; mx.microsoft.com 1; spf=pass (sender ip is 170.10.133.124) smtp.rcpttodomain=mit.edu smtp.mailfrom=redhat.com; dmarc=pass (p=none sp=none pct=100) action=none header.from=redhat.com; dkim=pass (signature was verified) header.d=redhat.com; arc=none (0) |
| DKIM-Signature | v=1; a=rsa-sha256; c=relaxed/relaxed; d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=yBk14ykMQ0C1yYL6bwMO+dTbi+9ICnccg5tw4+fzqHk=; b=jFv30d4awp75jYGMIU7s9IhCmqrN9vnBtPUN6QdXoN+HwqZgSgYVNIq1lIwtPQ1jixpiM4DJNDHrcPYgxOVRceoZrtvYyU3cU3w2xXEeVR9jLZhcphPmHcr56zDuRzMHPJSTkSkScqUeMa1wI2eTfxaTYqiQtGBv229gNLtWEWA= |
| Authentication-Results | spf=pass (sender IP is 170.10.133.124) smtp.mailfrom=redhat.com; dkim=pass (signature was verified) header.d=redhat.com;dmarc=pass action=none header.from=redhat.com; |
| Received-SPF | Pass (protection.outlook.com: domain of redhat.com designates 170.10.133.124 as permitted sender) receiver=protection.outlook.com; client-ip=170.10.133.124; helo=us-smtp-delivery-124.mimecast.com; pr=C |
| DKIM-Signature | v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1728396256; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=yBk14ykMQ0C1yYL6bwMO+dTbi+9ICnccg5tw4+fzqHk=; b=fHzAhSNEHpQA0huYBbGf2m/wN6I/WVM+cAwinbwwOmJJ/iVmHbAp5ZQ/i228OonDUWgjLa DuM7cx/v04Cm3YsP//nYdOyPJzcQ09PsIPigwdaJwbW/wUBVRl51qGI0JyY5X9Wgd0v5nP HWtAQgLJ5jhzmr82ugjZKQde8uS1mFY= |
| X-MC-Unique | 3cOh2CY9NCuK2t2LiSvslg-1 |
| X-Google-DKIM-Signature | v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1728396255; x=1729001055; h=mime-version:user-agent:content-transfer-encoding:organization :references:in-reply-to:date:cc:to:from:subject:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=yBk14ykMQ0C1yYL6bwMO+dTbi+9ICnccg5tw4+fzqHk=; b=RtU/xewXl+Dgt3d0oxUZa28WhntajYVxrFWdw1lk1NLbCGkvj2MWNR1AUztD+hfgpy AzUG7L9TWKml06H70tbKdHVEp2LF+upakuKb60E6gnL3926SioYIHS+F6tB76+EB92Td qI+kNRvvEcQoFWbd+liWJzaOWx97TWfoy7uTvGFDszzhl9zsqEr2eNHLZuwwuPU4Zb9Q Y7QcoG6nYgNNSTohLYsYINukTvN5iCn6iIgd8jyAwqfeb+j/45ZUAM/X3kn+nYbGJmdY uxVGCrQ2DltmhZ3omgRDrrUyC1IG5OVj3hhgVN1EGHFAW0Yi1cPWbBaOp5xV3GOslTrC mIaw== |
| X-Gm-Message-State | AOJu0YyYKhdN27rtNhhTEIwTYV+xD15A57UqJdcNCh6rSn2ZpgaB+8Gz QudTxadyddVHzmHdVRGBg1eot0IV97JjRHSAC+J4ux7e0jJCj3a2CvHN0xEzldl06vVvE6Ditya gAguOAPzHnngbMQh6X+6j5bJu/ZELxJeDtGdimAgIzo+lE7DacemJ43vY |
| X-Received | by 2002:a05:6214:5c4a:b0:6cb:3e17:f4cc with SMTP id 6a1803df08f44-6cb9a30dd21mr182925896d6.31.1728396255173; Tue, 08 Oct 2024 07:04:15 -0700 (PDT) |
| X-Google-Smtp-Source | AGHT+IEEIj3mDrygimHl72Ox1rHa7B6IDm84UgYZghI+kwy19KjmxOvXWdWoI23wYVods0+APA0/Hg== |
| X-Received | by 2002:a05:6214:5c4a:b0:6cb:3e17:f4cc with SMTP id 6a1803df08f44-6cb9a30dd21mr182925406d6.31.1728396254509; Tue, 08 Oct 2024 07:04:14 -0700 (PDT) |
| In-Reply-To | <202410081342.498DgtxB017212@hedwig.cmf.nrl.navy.mil> |
| X-Mimecast-Spam-Score | 0 |
| X-Mimecast-Originator | redhat.com |
| X-EOPAttributedMessage | 0 |
| X-EOPTenantAttributedMessage | 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0 |
| X-MS-PublicTrafficType | |
| X-MS-TrafficTypeDiagnostic | MWH0EPF000971E7:EE_|BL3PR01MB7177:EE_ |
| X-MS-Office365-Filtering-Correlation-Id | 360d9589-d233-4c40-9d10-08dce7a219a1 |
| X-LD-Processed | 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr |
| X-MS-Exchange-AtpMessageProperties | SA |
| X-MS-Exchange-SenderADCheck | 0 |
| X-MS-Exchange-AntiSpam-Relay | 0 |
| X-Microsoft-Antispam | BCL:0; ARA:13230040|376014|31092699021|43022699015|48200799018|61400799027|9140799003; |
| X-Microsoft-Antispam-Message-Info | tAqHyfRqJHU6ZCD9f2jDHtOrnuP3xSlCVdwV+5/xx572hBMNYTILz+KVt5Z4JKxrOF96FNm3tQbmktV31+5o9UFAXCVvW5HqTxz7StO16Yu70UUx4WrklwdWTmrNECRdFfNMOWaHVEg/1/+Ayh1k9So31TB0XcoKIC3dHqqBjfSV/JwLzWBrqE5l8GB0QCpwbUYm9CCIPhp3uhHfXZ8GwgzuWK/WA2EXGNh1LZVSlONJuzKSRRUC48w++1BhhljDJr/RxP0m7o4t16IZRguJUi8bJGDJdgI4mFX0kC1puUwPrJn3RYnu5oaorww+C5PvRSoG+ylrxzKp3Jrt9WkfDY2Eqfx7ekhYRUbxoeIjsHx4qNliw+3QBUl3XAMyC346BMiV68XuP/dJURTGtoLUoL0lEnF+Ho9GVJPjMuOlqydA+VdX7Jr7FUQayWzVzhFHH928trUD/lIg4Hgnf5u2NjQtRhYLOA4rxmNrxvRDDFYCl2knVQ9zTvPFkvGdEVYah8TEA3gHWclJKkgiN4e+nkkf8+2AytcQAa7O+HZLZq0OyNSdSgzDUQjdTbnTIyl3yNOBixtsX+jfdbj6912pnVlAL+NL0rTBnsykBp6hiFwqNrKd3kgJ1ZllxF6qpFxOA/8XHYv3nL7+N461yqSKCYpcSksuEYJx3pHohd8BlNGDy6JVBRIrWpHqHkvZqlawv/opgpw5Wr4d+gNyl/oQD/BuRRPOXM8LCtd3ontx9ugj3hRJU+RNEGXZFl/FmZrG/9GbNjHm+YulfwsPddGPFyp4jihKOqc54fWsixx5+eHxjQn4LTQDm9hiEASLQu5so6YUd93VNhZgeYEJ5B1E25kbuLQaIhPt9vjxGcswGold4K8b0YllxfYcAOwF4Ol3S3NZiMy67GyazQ21Cqfz10TBwc5JE1i+cttwQasMvW5MI9ABKQVB1Zlo8px4OV74g+gNn7rUGWde9aXKGfGD4lHR3Kz+FNvRYAdcGEatBlFxet6ayT+Zi+H4NygrnghhV6hnbZSrXh4kymlf/yLlgUgliV1M5v4qyHGth+9H9FFI0/hA9wOgFS7OQQLo6YXO1s0bgsZ9deNXFWsJlG9JK3EGzmkOOMVRaJ9ykSxEEvL4PpCBR5eHDvOFujq+I/GU8Bg8q6QTODBx8TdzgD7lB90GMDN6BGhAENiHE3/PyLoRyNKgscP/n00AZl80sND2gh5HZEn/dEMuM/t0pCt0Kidg4Q2/pMQcgtX5YbRzBButqRGU3pOjILMEjCVGVKJBBfvJwRw/uND+LnXEp8jxyqAQmNkUf6KPp4MesP71IYinavDhN2yhpo7hZYAToZDdamSv3fO3i4eIQUJtzrRMlWu8oV7RlYgCsn+oGCxAWuI= |
| X-Forefront-Antispam-Report | CIP:170.10.133.124; CTRY:US; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:us-smtp-delivery-124.mimecast.com; PTR:us-smtp-delivery-124.mimecast.com; CAT:NONE; SFS:(13230040)(376014)(31092699021)(43022699015)(48200799018)(61400799027)(9140799003); DIR:OUT; SFP:1102; |
| X-ExternalRecipientOutboundConnectors | 64afd9ba-0ecf-4acf-bc36-935f6235ba8b |
| X-Auto-Response-Suppress | DR, OOF, AutoReply |
| X-OriginatorOrg | mitprod.onmicrosoft.com |
| X-MS-Exchange-CrossTenant-OriginalArrivalTime | 08 Oct 2024 14:04:17.8164 (UTC) |
| X-MS-Exchange-CrossTenant-Network-Message-Id | 360d9589-d233-4c40-9d10-08dce7a219a1 |
| X-MS-Exchange-CrossTenant-Id | 64afd9ba-0ecf-4acf-bc36-935f6235ba8b |
| X-MS-Exchange-CrossTenant-AuthSource | MWH0EPF000971E7.namprd02.prod.outlook.com |
| X-MS-Exchange-CrossTenant-AuthAs | Anonymous |
| X-MS-Exchange-CrossTenant-FromEntityHeader | Internet |
| X-MS-Exchange-Transport-CrossTenantHeadersStamped | BL3PR01MB7177 |
| X-MIME-Autoconverted | from quoted-printable to 8bit by mailman.mit.edu id 498E4M7O2667862 |
| X-BeenThere | kerberos@mit.edu |
| X-Mailman-Version | 2.1.34 |
| Precedence | list |
| List-Id | The Kerberos Authentication System Mailing List <kerberos.mit.edu> |
| List-Unsubscribe | <https://mailman.mit.edu/mailman/options/kerberos>, <mailto:kerberos-request@mit.edu?subject=unsubscribe> |
| List-Archive | <http://mailman.mit.edu/pipermail/kerberos/> |
| List-Post | <mailto:kerberos@mit.edu> |
| List-Help | <mailto:kerberos-request@mit.edu?subject=help> |
| List-Subscribe | <https://mailman.mit.edu/mailman/listinfo/kerberos>, <mailto:kerberos-request@mit.edu?subject=subscribe> |
| X-Mailman-Original-Message-ID | <f37de56c4c7c3754fba76bca6c911a255a435c44.camel@redhat.com> |
| X-Mailman-Original-References | <202410080023.4980NSGB010697@hedwig.cmf.nrl.navy.mil> <6eex7zf7qp5sid5z6kzeqg762fs5acmo3jz7lbiwinmapayyy3@4sr7binjgjrq> <202410081342.498DgtxB017212@hedwig.cmf.nrl.navy.mil> |
| Xref | csiph.com comp.protocols.kerberos:5358 |
Show key headers only | View raw
On Tue, 2024-10-08 at 09:42 -0400, Ken Hornstein via Kerberos wrote: > > > However, this has made me wonder: why do this at all? What is the > > > possible security gain here? It's not the default in the code; you have > > > to explicitly write code to enable this behavior. But I can't really > > > think of a case where NOT having strict acceptor checking is a security > > > problem; I could maybe squint and envision some kind of weird hosted > > > server setup where it might matter, but I'm not sure that is ever done > > > in the real world. I will admit it is entirely possible I am missing > > > something; if I am, I'd sure like to understand what I am missing. > > > > I have always operated under the theory that one should make sure that > > the keytab accepts exactly the set of principals that are required. > > This is something that is under the ultimate control of the system > > administrator. When an application turns on strict acceptor checking, > > they remove this configrability from the system administrator which I > > think makes the system much less flexible. > > I'm completely with you, but clearly plenty of application writers do not > agree with this sentiment! So I'm wondering what I am missing. There *are* weird cases where the keytab needs to contain multiple keys for different principals, but you want to use only one of them for *accepting* connections. These days you can easily have separate keytabs for "client" vs "server" keys and programmatically specify which keytab you want via gss_acquire_cred_from(), but it hasn't always been like that. In the past in some cases your only option was to use a fixed specific file on the filesystem not even env vars... Granted I think 99% of the time it is the other way around, so it would be nice if we could rewind to the past and make strict acceptor default to false, but there have been "reasons" for this behavior, and changing the default now would risk opening up unsuspecting admins to unexpected failures. Simo. -- Simo Sorce Distinguished Engineer RHEL Crypto Team Red Hat, Inc
Back to comp.protocols.kerberos | Previous | Next | Find similar
Re: Why do "strict acceptor checking"? Simo Sorce <simo@redhat.com> - 2024-10-08 10:04 -0400
csiph-web