Closed Bug 17578 Opened 25 years ago Closed 21 years ago

I want Kerberos authentication and TGT forwarding [using GSSAPI]

Categories

(Core :: Networking, enhancement, P2)

Product:
Core
Component:
Networking
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.7beta

People

(Reporter: spreitze, Assigned: darin.moz)

References

Details

Attachments

(4 files, 22 obsolete files)

IETF Draft describing their HTTP Negotiate method
13.39 KB, text/plain
Details
Error from startup of debug build
127.76 KB, text/plain
Details
v3.1 patch
39.08 KB, patch
Details | Diff | Splinter Review
another attempt at doing mutual authentication correctly
8.17 KB, patch
Details | Diff | Splinter Review
I'd like to see browser and server able to use Kerberos for authentication and authorization delegation. This would probably break down as using the new Kerberos option in TLS (as specified in RFC 2712) for the authentication, plus a new flavor of HTTP "authentication" to convey the TGT.
Status: NEW → ASSIGNED
http://stonecold.unity.ncsu.edu/software/mod_auth_kerb/ is an Apache module that works with kmosaic. It might be useful as a test environment.
Bulk moving all Browser Security bugs to new Security: General component. The previous Security component for Browser will be deleted.
Component: Security → Security: General
Changing Qa contact to myself.
QA Contact: dshea → junruh
Whiteboard: [from mwelch@netscape.com]
I'm leaving Netscape, so I'm reassigning all my pending bugs to David Drinan. I've added "[from mwelch@netscape.com]" to the status whiteboard for each of these bugs for easier searching.
Assignee: mwelch → ddrinan
Status: ASSIGNED → NEW
Target Milestone: --- → Future
Changing component to Security:Crypto.
Component: Security: General → Security: Crypto
Whiteboard: [from mwelch@netscape.com]
This would be a killer feature for some big environments. Way cool.
Changing product from Browser:Security:Crypto --> PSM 2.0
Component: Security: Crypto → Client Library
Product: Browser → PSM
Target Milestone: Future → ---
Version: other → 2.0
Target Milestone: --- → Future
Attached patch proposed patch. (obsolete) — Splinter Review
Mass assigning QA to ckritzer.
QA Contact: junruh → ckritzer
QA Contact: ckritzer → junruh
Just thought ya'lld like to know that Kerberos authentication works with the BU studentlink in RC1. I'm not sure if that is due to a PSM change or what, but it's great to have, as I was forced to open IE whenever I wanted to buy convenience points so I could go get tasty campus treats. :) Now I can just open a new tab! ;)
Scott -- the weblogin system we use at BU is independent of the feature requested by this bug. It works by getting your login/password in plain text and sending that (over SSL) to a central server for authentication against kerberos. In other words, it's a kludge. *This* bug suggests actually "kerberizing" mozilla, so that it can get kerberos credentials of its own. (The studentlink started working, by the way, because BU OIT updated the code to a newer and better version.)
OK, I'm looking at taking this on, but might take a different approach than that outlined by the original poster. My initial take would be to extend the current WWW-Authentication mechanism to include a KerberosV5 mechanism. This seems to be the approach taken by the mod_auth_kerb Apache module. So, this would be simple Authentication, and would not be used to initiate a TLS secure exchange. The HTTP handshake would be unchanged except that the response would include the user's Kerberos ticket, which would be pulled from the environment. If a ticket didn't exist, the user would be prompted as with the current basic authentication implementation. In looking at the nsHttpChannel and nsHttp*Auth code this looks pretty straightforward (until I get to the cross-platform issues of getting the ticket from the environment). Does this make sense? Does anyone know how Microsoft is handling Kerberos tickets with IE and IIS? I don't want to deviate from an existing implementation unless I have to.
I guess I'm going to answer my own question (sorry for the SPAM). I found an Internet Draft document by John Brezak that outlines the IE/IIS interactions and their use of SPNEGO that is triggered by the "Negotiate" option to WWW-Authenticate. The assumption is that SPNEGO is using GSS-API, which is an available API on all of the mozilla platforms, I believe. The only concern is that GSS-API will require server tickets, I believe, which is more complicated to manage. Anybody have any strong feelings one way or the other about this?
SPNEGO is a GSSAPI mechanism that negotiates the "real" security mechanism to be used for authentication. Implementing Microsoft's draft would be the ideal solution as it would allow for folks who access IIS servers (also enabled with the new Auth-Negotiate support) to use Mozilla instead of IE. Also, this approach avoids common pitfalls of implementing Kerberos authentication - using cookies or some other grossly insecure method for transmitting the security credentials. PLEASE implement Brezak's draft! Doing so will require the creation of an SPNEGO GSS-API mechanism (unless someone wants to donate one) as this is not included with MIT or Hiemdal Kerberos distributions at this time. Because its GSSAPI based and should not need to directly access the Kerberos API's, the solution should not require the developer to choose one Kerberos implementation over another, just choose one that has a working GSSAPI KRB5 mechanism that SPNEGO can choose to use. The only additional library linking would be against libgss. I think....
Reasigning
Assignee: ddrinan → ssaux
Version: 2.0 → 2.4
Since this one is reassigned (does that mean it'll get worked on?), what about bug 28200?
I'm interested in helping get SPNEGO working with Mozilla. Could one of the more seasoned bugzilla developers comment on the correct approach? 1. Work with Samba developers to provide a method of accessing their spnego routines. This was suggested by one of the Samba developers as a method of integrating with their NTLM implementation (http://bugzilla.mozilla.org/show_bug.cgi?id=23679#c134). He seemed to have some ideas about how to deal with the licensing issues (Mozilla can't link w/ gpl'ed code). Can Samba's spnego do kerberos delegation? 2. Have mozilla link directly with Heimdal or MIT kerberos and add support in ourselves. This seems to be the approach take here http://meta.cesnet.cz/software/heimdal/negotiate.en.html This code does not include a SPNEGO implementation, but instead uses the raw gss data. If we choose to go this route can moz's asn parsing code be accessed from netwerk? This would allow us to easy write the required SPNEGO wrapper for kerberos. 3. Help with bug 180049? IMO this is the best long term approach and it will make things a lot easier in the future for fixing bugs like these.
As Christopher Nebergall mentioned in his comment, we developed an open source implementation of the Negotiate method used by Microsoft for Kerberos authentication on the web. I've just updated and rewritten it a bit so that Mozilla 1.1 is now supported. It's available from http://meta.cesnet.cz/software/heimdal/negotiate.en.html I'd be very glad if anyone familiar with Mozilla and C++ could have a look at the code.
I'm adding the patch (for mozilla 1.1), which is also available from http://meta.cesnet.cz/software/heimdal/negotiate.en.html
I've been using some of the ASN1 code from the public api's of NSS to add the actual DER encoded SPNEGO wrapper for the Kerberos call. If anyone's interested I can post my preliminary code here in a day or two for feedback from other developers, but its for -testing purposes only- (until I can get the required approvals from my company to donate the code). Using NSS's ASN1 code does add the odd dependency that this Authentication type would require PSM to compile. Questions. Should there be support for both NEGOTIATE authtype w/ Kerberos support (Brezak's draft) and a KERBEROS authtype(read base64'd token from gss-init-sec- context)? I'm also interested in working on a patch to nsIHttpAuthenticator so Kerberos support can be added with an XPI and not require compiling mozilla. This is not to say that I don't want to work towards native support in Mozilla, just that I want a working solution until then. In testing I've reworked some of the above patch to install as an XPI and only problems I come across are the required changes to nsIHttpAuthenticator and nsHttpChannel. I mentioned the problems with the current api in bug 180049. Anyone who can help with generic methods for solving these problems please post suggestions on that bug.
Recent conversations on the IETF KRB5 Working Group mailing list might be of interest here. In the process of developing a GSSAPI SPNEGO implementation (according to IETF RFC 2478), I discovered the Microsoft's own SPNEGO (a.k.a "Negotiate") mechanism is badly broken and does not follow the IETF specification. There are workarounds for the problem, but trying to decipher the ASN.1 based on what *should* be present according to the SPNEGO spec will lead to problems. Likewise, communicating with MS and following RFC 2478 will also not work without some changes. Basically - do not send or expect to receive the MechListMIC field when talking to Microsoft SSPI/Negotiate clients. Search thru this file for "SPNEGO" references to get all the details, including a response from Microsoft: ftp://ftp.ietf.org/ietf-mail-archive/krb-wg/current If you are developing a patch for Mozilla that will interoperate, it should use the generic GSSAPI public interface so it can compile and work on any system that has a GSSAPI library (i.e. Solaris 2.[8,9], or systems with MIT KRB5 or Heimdal Kerberos installed). There should be NO reason for the mozilla source to try and do the ASN.1 stuff or bypass the GSSAPI layer, this would be a really ugly hack. Much better to write a real SPNEGO mechanism and talk directly to GSSAPI. There are several people working on open source SPNEGO mechanisms (MIT KRb5 team, Heimdal) that might be helpful in kickstarting this particular project.
To Christopher Nebergall (comment #20) I think the usage of only SPNEGO is sufficient for Kerberos support. The variant of "raw" krb5 was choosen as workaround in situation where no SPNEGO implementation was available. Since this method is used only by our implementation there is no need to keep backwards compatibility (I think that the patch is used by a quite limited set of users). The plugin solution should be perhaps the best one in long term. But I believe that the possible Negotiate plugin would be very similar to current implementation of the nsHttpGssapiAuth class. So first I would prefer to have a stable (and perhaps MS compatible) implementation of the Negotiate mechanism. For this to really work an SPNEGO implementation is needed. I agree with Wyllys Ingersoll that such an implementation should be independend on mozilla sources (but perhaps might be created by means of NSS public API). Unfortunatelly, I've heard of several people working open source SPNEGO implementations but I haven't seen any code yet :-( Would anyone have some link?
>Since this method is used only by our >implementation there is no need to keep backwards compatibility (I think that >the patch is used by a quite limited set of users). Network sniff's of IIS 5 list Kerberos as a supported authentication type. I have no idea how they use it, but it is in the list of auth types sent as part of the 401. Negotiate of course is also listed. I agree that an independent implementation of SPNEGO would probably be the cleanest long term approach but I've never seen one outside of Samba and Samba's implementation does not use the GSS-API. There are rumors that both Heimdal and MIT want to add it, but I've found no patches on the web. In the short term don't overlook how easy it is to write a Mozilla SPNEGO implementation which calls the systems gss-kerberos implementation (heimdal, MIT or whatever). Two of the big problems in writing an SPNEGO implemtation have already been solved my Mozilla 1.) available, easy to use ASN1 DER encoding/decoding libraries, 2.) An api which allows supporting multiple authentication mechanisms. To support just kerberos it only took a few ASN template structures and ~10 lines of code. To truly support the whole mechanism using both Kerberos and NTLM (when there is an implementation) would not be much more difficult. The only real problems are where to keep state information for the connection between requests and how to get Mozilla to call the auth handlers after a successful request so mutual authentication becomes possible. These problems must still be solved even if an external SPNEGO mechism is used.
I have an SPNEGO mechanism that I may attempt to give back to MIT that will work with MS. If that works, then you could eventually just use that mechanism. GSSAPI offers a layered, abtract security API that should support whatever mechanisms SPNEGO is a specific GSSAPI mechanism that negotiates the "real" security mechanism to be used. None of these mechanisms shoudl have any knowledge of each other nor should they be architecturally linked in any way. Heimdal and MIT both offer GSSAPI with KRB5, but their approaches are quite different. If you must choose, I would recommend choosing the MIT GSSAPI implementation as MIT KRB5 is probably the most prevalent KRB5 distribution. Heimdal has nice features as well, but I dont think its as commonly used as MIT (at least in the US). Applications should never talk directly to the specific mechanism's API (i.e. krb5_gss_init_sec_context), but should always talk directly to the GSSAPI layer (gss_init_sec_context). The mechanism used may be specified thru the use of the correct OID or by having the system choose the default. As far as state information goes, all GSSAPI sessions require an opaque context token to be passed to the various function calls, so the gssapi context struct could just be part of whatever other context is passed around with the mozilla connection information.
Regarding comments 21-24, before you go too far down the road of making mozilla depend on GSSAPI, have you contacted the PSM module owner about this idea? Is the module owner amenable to this proposed contribution? I imagine the module owner will ask questions like these: How will mozilla build or run on systems that don't have GSSAPI headers and libraries? Will there need to be new UI for mozilla to do Krb5 based authentication? Are you planning to do that too?
To Christopher (comment #23): - I don't have any idea what's the Kerberos method offered by IIS. At this moment I'd stick only with Negotiate method, whose specification is published. - Concerning the SPNEGO implementation above Mozilla API, would it be possible to implement it as a standalone library exporting GSS-API functions (or their subset)? In this way it would be possible to keep the Negotiate implementation separate from the GSS-API stuff. - I also don't know how the mentioned incompatibility of the MS SPNEGO implementation will influence the implementation of the Negotiate method - would some "hooks" be needed? To wyllys (comment #24) - You really have an SPNEGO implementation and you're willing to share it with us? It would be great. - Concerning the interoperability MIT and Heimdal, according to my experience their GSS-API implementation are very compatible and if your application is properly written it really doesn't matter which implementation you will use. So it shouldn't be important if we use Heimdal or MIT for development. (unfortunatelly, the GSS-API spec. doesn't solve all problems, e.g. credential storing must still be done via the mechanism API), but it shouldn't be important for Mozilla and SPNEGO. To nelson (comment #25) - I haven't contacted anyone from PSM but I absolutely agree we should do it. But I'm not sure if we should talk to the PSM people since the Negotiate patch alter the Necko part? - Should we move this discussion to some mailinglist? The bugzilla interface seems to me a bit uncomfortable for this purpose. What's the right list for this discussion (mozilla-security@mozilla.org)?
FYI: a new version of the apache module supporting both password and native (i.e. Negotiate) Krb5 authentication is available at http://meta.cesnet.cz/software/heimdal/negotiate.en.html A new patch for Mozilla 1.2.1 is there as well.
I'm all for moving the conversation to mozilla-security@mozilla.org. I'll post my comments there.
QA Contact: junruh → bmartin
In depth explanation and sample code to implement SPNEGO from Microsoft http://msdn.microsoft.com/library/default.asp?url=/library/en- us/dnsecure/html/http-sso-3.asp
A new version of the Negotiate patch for Mozilla 1.3 is available from http://meta.cesnet.cz/software/heimdal/negotiate.en.html This new patch contains some cleanups, especially all new code is wrapped within #ifdef statements, it also adds registering of the GSSAPI module with a new component ID, and contains a support for the configure script (adds a new option --with-gssapi).
Patch for Mozilla 1.4 checkouted from the main CVS branch on 5.5.2003. Hopefuly prepared for review.
Attachment #107471 - Attachment is obsolete: true
Attachment #122480 - Flags: review?(darin)
i'm glad to see that nsIHttpAuthenticator is almost sufficient for what you need. however... 1- changes to nsHttpChannel should be made generic so they don't need to be specific to #ifdef GSSAPI. we need to generalize nsHttpChannel, so there is no need to add special cases like this. this should be a separate patch. 2- if #1 is done, then your auth module could live as a completely separate XPCOM component. this would be ideal since it has link dependencies on a new lib. perhaps you could even start by hosting your XPCOM component on mozdev.org?? alternatively, this component could perhaps live under mozilla/extensions if it were to be part of the standard mozilla release at some point.
Attachment #122480 - Flags: review?(darin) → review-
#1: Strictly speaking, the change of nsHttpChannel is not needed for the Negotiate authentication. It's only meant as a handler for multiple authentication methods sent by the server. I saw bug #180049 and your patch "authentication api update" attached to this bug seems to add exactly that functionality as my adaptation of nsHttpChannel. Any chance of getting that patch to the Mozilla CVS? #2: I think situation is very similar to NTLM authentication, which is included in Mozilla tree (also the code is similar). In fact the Negotiate method can support NTLM as well (provided NTLM GSA-API implementation is available) and it is supported by Microsoft products. I don't opose the suggestion of creating a separate XPCOM component but I believe it should be kept "close" to the NTLM support. Your opionions?
The patch has no code in PSM. Who should own this bug?
FYI, I've opened a new project on the mozdev site aiming to support of the Negotiate HTTP method (especially with regards to Kerberos). See http://negotiateauth.mozdev.org/ for more information. What is still needed, however, is support in mozilla for handling multiple authentication methods sent by the server (e.g. something suggested by bug #180049
*** Bug 203984 has been marked as a duplicate of this bug. ***
I've ported and updated the patch from Dan to work with Mozilla 1.5, and made some significant fixes so that it works with MS Windows 2000 IIS servers that request "Negotiate" authentication. The code as written was not requesting the proper AD service (khttp/ instead of HTTP/), nor was it recognizing the correct Negotiation string ("GSS-Negotiate" instead of "Negotiate") to work with IIS. One thing to note: Though the MS documentation states that SPNEGO is needed to authenticate correctly, this is not strictly true. If the client initiates the GSSAPI session using a KRB5 GSSAPI token (instead of being wrapped in SPNEGO), IIS will accept it and the authentication can still succeed despite not having used SPNEGO. This means that the fix can work with MIT KRB5, Heimdal KRB5, Solaris SEAM, and anyone else who has a working GSSAPI layer and KRB5 mechanism. SPNEGO will obviously work as a mechanism, but not many distributions have SPNEGO at this time. I am working on getting the fixes prepared as a single "patch" file and testing compilation on RH Linux (with MIT KRB5) and Solaris (with the bundled GSSAPI library and SEAM KRB5 mechanism).
Wyllys: i'm very interested in helping bring kerberos authentication to mozilla (for HTTP anyways). i can help you get this in the tree. just attach your updated patch, and i'll begin reviewing :) you should probably include your implementation in security/manager/ssl/src, assuming kaie is okay with that.
The code I have now needs a couple of small tweaks to configure and compile clean on a system that has MIT KRB5 only installed. My initial testing was Solaris, which has its own GSSAPI libraries that differ in name & location from the stuff from MIT (though the API is the same). I should be able to post a patch by the end of the week. I'm not sure how well it conforms to the coding style/standards, but since my work is based on an existing patch, it should be close. I have added lots of comments to help those not too familiar with GSSAPI. Why would the code go in security/manager/ssl/src ? Its not clear to me how that relates here. The patch is currently mostly in netwerk/protocols/http/src.
wyllys: so there are maybe three places where this code could maybe live: 1) netwerk/protocol/http/src this is where the other http authentication protocols live, so why not put this one there too? definitely a good point. the downside to putting the code here is that it increases the size of libnecko.so, and most users won't need this code. 2) extensions/negotiateauth this may make more sense since this implies that the negotiate auth code would live as a separate DSO, loaded only when the user needs it. also, if it is the case that other protocols besides HTTP would potentially use negotiate auth, then it should certainly not live next to the HTTP implementation. for example, is it the case that SMTP, IMAP, or POP can use negotiate auth? i know they can for NTLM, and for this reason NTLM code is being factored out of necko. 3) security/manager/ssl/src ... which brings me to this location. currently, i am working on moving the necko NTLM implementation into PSM. the reasons for doing so are two fold: a) i need to access some NSS routines in order to implement NTLM on non-Win32 platforms, and b) i wanted to factor out the NTLM request/response generation code from the actual code which implements nsIHttpAuthenticator. again, this is important since we may want to add code to support NTLM authentication with the mail protocols. so, i may have jumped the gun a bit by suggesting that the negotiate auth code live in PSM (security/manager/ssl/src), because clearly it does not have a dependency on NSS. rather it has a dependency on GSSAPI, and that is something independent. i think option #2 makes the most sense for negotiate auth. in fact, option #1 is definitely a bad choice since it would force users of mozilla to have the right GSSAPI library installed in order to simply load libnecko.so. that could be a major compatibility constraint. so, short of dynamically loading the GSSAPI library and resolving each symbol manually, i think simply moving the link dependency into a xpcom library (libnegotiateauth.so), which is dynamically loaded, would solve this problem elegantly. extensions/finger is a simple extension, which you might find useful as a guide to learn how to properly write a mozilla extension.
Darin - I agree, #2 seems like the right place. I was thinking that GSSAPI by itself would not be useful to some people and thus it could not be enabled by default. In fact, it could not be enabled by default if it was built into necko because those that do not have a GSSAPI library would not be able to run the browser at all due to the missing library. Having it be configurable and loadable is the right solution. I will look at moving the code into the extensions area before I submit.
Wyllys: I've already converted Daniel's patch into an extension. If you post all our changes here, I can merge my extentions changes in. Bug 180049 was just checked in and that was all that was required so no necko changes were not required.
My current version of the Negotiate patch is available from negotiateauth.mozdev.org. My goal was to create an stand-alone XPCOM component, which would implement this method so that it's not necessary to patch and recompile mozilla to get support of Kerberos (and others GSS mechanims) to Mozilla. I'm happy to hear that bug #180049 was solved. I'd very like to incorporate all your changes to the module. Christopher and Wyllys would you be so kind as to send me your adaptations?
I'd be very concerned about including anyone's simple implementation of SPNEGO in this piece of code. SPNEGO is designed to work as a GSSAPI plugin, it should not be included as part of this patch. The only API needed by this patch is the pure GSS-API code, if the system has Kerberos *OR* SPNEGO, the server should still accept the credentials. I have verified this testing with MS Windows 2000 IIS servers. Implementing SPNEGO directly here is clearly the WRONG thing to do.
I'm not sure that my additions are correctly "c-styled" for mozilla, if not acceptable, I will rework them, but I wanted to post the patch because there has been some interest lately in seeing what was done. Note that I also included updates to configure.in so that the gssapi stuff can be detected and configured at build time. As always, autoconf 2.13 is needed, 2.5X will not work here. steps: patch, autoconf, configure, build.
Attached patch minor update to previous patch (obsolete) — Splinter Review
Minor update to previous patch to correct gssapi files included.
Comment on attachment 134483 [details] [diff] [review] Fixes for the "Negotiate" authentication code to work with MS IIS correctly obsolete, see updated patch
Attachment #134483 - Attachment is obsolete: true
wyllys: thanks for the updated patch... some quick comments: 1) the files are not in mozilla/extensions. they still appear to be in necko (network/protocol/http/src). 2) there are modifications to necko included in this patch. according to cneberg (comment #42), these changes should not be necessary. why are those changes needed? 3) we want to avoid #ifdef/#ifndef GSSAPI being added in parts of the core mozilla code. as soon as you do that you break the possibility of ever being able to just drop your library into a build of mozilla that does not have those defined.
I didn't put the changes in extensions because Christopher said that he would merge my fixes as they were since he had just added the extensions code very recently (also from comment #42, unless I misunderstood). I agree that the #ifdef GSSAPI stuff should be removed since the auth module is going to be an extension instead of merged with necko. I did add code to nsHttpChannel.cpp that is important and cannot be put into the extension. The code changes in nsHttpChannel::ProcessResponse(), when the Server returns status code 200 but also includes the WWW-Authenticate: Negotiate header with additional token information following the "Negotiate" string, that code must be processed by the "negotiate" extension in order for the token exchange to complete correctly. GSSAPI exchanges are not guaranteed to be complete in a single round trip, often additional token exchanges are needed to complete correctly.
>I didn't put the changes in extensions because Christopher said that he >would merge my fixes as they were since he had just added the extensions code >very recently (also from comment #42, unless I misunderstood). ah, ok... the confusion is on my end then. i misunderstood. >I agree that the #ifdef GSSAPI stuff should be removed since the auth module >is going to be an extension instead of merged with necko. > >I did add code to nsHttpChannel.cpp that is important and cannot be >put into the extension. The code changes in nsHttpChannel::ProcessResponse(), >when the Server returns status code 200 but also includes the WWW-Authenticate: >Negotiate header with additional token information following the "Negotiate" >string, that code must be processed by the "negotiate" extension in order for >the token exchange to complete correctly. GSSAPI exchanges are not guaranteed >to be complete in a single round trip, often additional token exchanges are >needed to complete correctly. Ack! WWW-Authenticate sent with a 200 response. Can we deviate from the standards any further? Is there any documentation explaining the Negotiate HTTP authentication protocol? I'd like to read about this, so I can better understand all that is required of an authentication plugin. Thanks!
See attachment for description of Microsoft's Negotiate method. The draft is expired, but its still technically correct. Also see this page at MSDN for more information: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/http-sso-1.asp
Basically in any GSSAPI transacation using Negotiate a WWW-Authenticate with HTTP 200 would mean the server is satisfied, but the client is still missing something it asked about. In Kerberos that is probably mutual auth. If you don't care about Mutual auth, you wouldn't need it. IE seems to ignore the response as well. Although IIS does send it. My patch's solution is to optionally require (prefs.js option) SSL for it to automatically authenticate. I think server authentication would be useful in some contexts, but I don't think it should hold up user-only authentication using the GSS-API. I will attach an upated patch tonight or tomorrow morning.
Correct, the final Negotiation token sent by the server in a "200" response is to complete the mutual authentication step for Kerberos. I think it should be handled just to be correct, there may be cases where mutual auth fails (due to a security breach) in which case the browser should report that auth failed and not send the authentication response. This prevents the browser from exposing the user's creds to a bad-guy impersonating a real web server.
>there may be cases where mutual auth fails (due to a >security breach) in which case the browser should report that auth failed and >not send the authentication response. This prevents the browser from exposing >the user's creds to a bad-guy impersonating a real web server. But that's too late, you have already sent your token(s) and since the session key is not used to protect the channel, the server (or man in the middle) needs nothing else to impersonate you (the kerberos tokens can only be replayed up until the max clock skew ~5 Minutes). The only question left is will you fail over to some other auth type and possibly give them more information (like your password). I just think SSL should be required by default, and eventually the best solution would be a security zones like IE has.
cc'ing caillon since "security zones" were mentioned ;)
One thing I noticed while poking around is that setAuthorization header in nsHttpChannel.cpp doesn't obey the nsIHttpAuthenticator::REUSABLE_CREDENTIALS auth flag. It will always cache the credentials. This will cause some replay errors on the server. if ((!creds[0] || identFromURI) && challenge[0]) { 2369 nsCAutoString unused; 2370 rv = ParseChallenge(challenge, unused, getter_AddRefs(auth)); 2371 if (NS_SUCCEEDED(rv)) { 2372 nsISupports *sessionState = entry->mMetaData; 2373 rv = auth->GenerateCredentials(this, challenge, 2374 header == nsHttp::Proxy_Authorization, 2375 ident.Domain(), 2376 ident.User(), 2377 ident.Password(), 2378 &sessionState, 2379 &mAuthContinuationState, 2380 getter_Copies(temp)); 2381 2382 entry->mMetaData.swap(sessionState); 2383 if (NS_SUCCEEDED(rv)) { 2384 creds = temp.get(); 2385 2386 // 2387 // set the cached authorization credentials to 2388 // those we used (in case we used the URI 2389 // specified credentials) 2390 rv = authCache->SetAuthEntry(host, port, path, 2391 entry->Realm(), 2392 creds, challenge, 2393 ident, sessionState); 2394 } 2395 } 2396 } 2397 if (creds[0]) { 2398 LOG((" adding \"%s\" request header\n", header.get())); 2399 mRequestHead.SetHeader(header, nsDependentCString(creds)); 2400 } 2401 else 2402 ident.Clear(); // don't remember the identity
Attached patch SPNEGO patch (obsolete) — Splinter Review
I see that work have started here again. Nice! I have from original patch updated it with SPNEGO so that it works with IIS. I can now do automatic login from Mozilla under Solaris to an IIS server, and to my own Unix-web server that also have negotiate/SPNEGO in it. I have been using it for over a month now. The above patch is for mozilla 1.4, but can also be used on 1.4.1 and 1.5. The code is just for compiling under Solaris. But adding how to find libraries and include files on other plattforms should be easy. I have not compared how my changes compares to the latests patches that I now see have been added to this bug. I hope my patch can be merged with the other new stuff. About my patch: In the code is included a number of source files for handling ASN1 parsing and SPNEGO parsing. These are from microsoft who have published them on the web site to help people get SPNEGO working. I do not know if Mozilla folks do not want to use them because Microsoft have created them, though it is quite easy to write your own. These files can also help enable you to implement SPNEGO in apache, if you like. The source code come from a 3 part article starting at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/h ttp-sso-1.asp Some changes to nsHTTPGssapiAuth.cpp: LogGssError now prints both major and minor code. The minor did not always explain what was wrong. I have removed the questions of need to free some strings where I think it is not needed. I have simplified code in ChallengeRecieved and GenerateCredentials removing continuationState handling as I do not think that is needed. As we do not do mutual authentication and send Kerberos data in initial packet, we should never get a "Negotiate data" back - if we do we cannot handle that. We could add that later, if needed. It works for me as it is now. There are some comments in the code that hopefully explain some of my choices. In GetAuthFlags I removed REUSABLE_CHALLENGE as that results in Mozilla generating Negotiate data for every http query on the same connection. It looks like this makes the CONNECTION_BASED not work as it should.
I hate to be a PITA about this, but I strongly believe that this code should NOT contain any SPNEGO or KRB5 code. All that should be done when the "Negotiate" is performed is the gss_init_sec_context call (and other supporting GSSAPI calls). If the underlying GSS system supports SPNEGO or Kerberos, the negotation will succeed. Especially because if you write the local SPNEGO to be compliant with Microsoft's implementation, you end up with a non-standard (i.e. in violation of the IETF RFC specification) implementation. The SPNEGO code from MS is broken in several ways (Using the wrong KRB5 Mechanism OID for one, putting incorrect data in the MechListMIC field for another). Also, Mutual Authentication is useful to verify that the server and/or KDC are not being spoofed and should be used. Its not hard to handle the continuation token. SPNEGO is intended to be layered *under* the GSS-API layer, the app should not be aware of the tokens being exchanged by GSS-API, putting ASN.1 code directly in here violates the abstraction. Putting local SPNEGO code into the browser will also cause problems on systems that have existing SPNEGO mechanisms already included that work properly with GSS-API. If there is strong concensus that SPNEGO code should be included here, it should be a user-configurable option whether or not to use the included spnego or use the system supplied GSSAPI mechanisms.
Attached patch Moved into Extensions (obsolete) — Splinter Review
Here is an updated version of the patch from Wyllys (originally from Daniel) which moved Negotiate to extensions/negotiateauth. It compiles fine, but there are some linking dependencies I haven’t working which would require addition changes to the configure script. I’ve had some trouble building against MIT Kerberos 1.2.7 (maybe it would work better with 1.3.1?). Kerb 1.2.7 (at least on Linux) doesn’t define GSS_C_NT_HOSTBASED_SERVICE and configure seems to think I should have it and compiled it in so it won’t load. When I hacked it up to make it compile, the code failed in gss_init_sec_context.after retrieving a service ticket but before, creating any output tokens. I didn't have a change to look into this, it just gave a generic failure error. Another problem we are going to have if MIT Kerberos is configured to use DNS lookups, then any Kerberized app will also require libresolv. There will have to be some magic done in the configure script to figure out if libresolv is required. I removed most of the modified code in nsHttpChannel, because I don’t believe it is required anymore for the current trunk. I left the mutual authentication check there till Darin comments on whether he will accept it. In order to try it out, you must apply the patch, then run autoconf and place the following in your .mozconfig ac_add_options --enable-extensions=default,irc,negotiateauth ac_add_options --enable-gssapi ac_add_options --with-gssapi=<Kerberos Directory> I also added a command to the make file for negotiateauth, so “make XPI” will make a redistributable XPI. Feel free to leave this out of the final patch, but it helps with testing. Other things I noticed in that if we want the same behavior as IE we will need the following flags. *flags = CONNECTION_BASED | REUSABLE_CHALLENGE | IDENTITY_IGNORED;
+# The Initial Developer of the Original Code is +# Netscape Communications. +# Portions created by the Initial Developer are Copyright (C) 2001 +# the Initial Developer. All Rights Reserved. +# +# Contributor(s): +# Brian Ryner <bryner@netscape.com> looks like the copyright notices need to be updated. there's another one that is likewise bogus. as for the nsHttpChannel changes, i'm thinking about how best to incorporate those. i think it might be sufficient to call ChallengeReceived on the authenticator when a 200 OK response carries with it a challenge blob. though it is not actually a challenge, this seems like the right way to handle this situation. short of that, i might add a new method to nsIHttpAuthenticator, but i'd prefer to avoid breaking the binary contract of that interface. i was also wondering if other protocols, besides HTTP, such as IMAP or SMTP can use Negotiate auth. i know that those protocols can use NTLM auth. if it turns out that Negotiate auth can be used with other protocols, then maybe we should factor things out a little differently.
* MIT 1.3.X (finally!) fixes the missing GSS_C_NT_HOSTBASED_SERVICE problem. * The comment above the code added to ProcessResponse is incorrect, there is no check for "Content-Length == 0" and that part of the comment should be removed. I thought I had removed this from the patch before I submitted it, but I must have left it in by accident. * I don't believe MS uses the same sort of "Negotiate" authentication in other protocols. They do use SPNEGO negotation in other places, for example secure LDAP authentication uses SASL + GSSAPI + SPNEGO + (NTLM | Kerberos). I don't know if it is used for IMAP or SMTP. I do know that IMAP can support SASL, which in turn can use a GSSAPI plugin. * On Solaris, you can use the "-z lazyload" option when linking with libresolv so that it will only load if necessary, I don't know if this option exists with gnu ld. The other choice might be to just link with libresolv all the time, its not that costly if its never used. Or, just add a new "AC_TRY_COMPILE" block to test for the need to have libresolv present. * Finally - THANKS FOR INCLUDING THIS ONE!
<I might add a new method to nsIHttpAuthenticator I agree, I think it will require a new method to nsIHttpAuthenticator in order to use mutual auth. The above patch assumes that if the server sends a negotiate response, that the client should process it to check if mutual auth was successful. If the server does not send send a negotiate response (because the server is mis-configured or is not legitimate), the client will not notice that the response was skipped and proceed without the response. There needs to be some state kept on the client side which will not allow it to proceed with the current authenticator if mutual auth is required but never completes. That would require keeping track of the current authentication scheme between requests, and whether the scheme requires more information from the server.
Bug 224749 added to fix a problem with the REUSABLE_CREDENTIALS flag being ignored.
The patch does keep state in the "nsGssapiSessionState" object, I should have added a flag to track whether or not the mutual auth completed correctly and checked for this before allowing the session to complete. It would be easy enough to add to that class and make things right. That state object was created so that the gssapi context pointer could be carried around when mutual authentication was being done and the gss_init_sec_context returned the CONTINUE_NEEDED status. I should have been more careful marking the session as properly authenticated. The fix is easy, though.
I agree with Wyllys Ingersoll that SPNEGO should not be in the code, if it is available natively. I included it in my patch as I have waited a very long time for Sun to include it and finaly I gave up and added it myself. If the most important systems now does include it, we do not have to include it. I do not want this patch to force me to once again have to wait for Sun to include SPNEGO before being able to use it. Looking at the "moved to extensions" patch I wonder if you have fixed the code in nsHttpChannel.cpp so it is able to try several authentication mechanisms? Like in older patches. It is needed as more then one can be specified and "negotiate" may fail so fallback to one other is needed. Like I today get negoatiate and basic, and if negotiate fails (for example due to not logged in with Kerberos) mozilla prompts for user/password and uses basic.
Systems with Samba 3.0 can use SPNEGO via the ntlm_auth helper program. Documentation is sparse (bug me if you really are intending to use it) but ntlm_auth does act as an SPNEGO client and server. This also allows the use of NTLMSSP within SPNEGO, and allows for Mozilla to follow Samba as we better understand bits and peices of this protocol. Andrew Bartlett (Samba Team)
In reply to comment 65: bug #180049 fixed the problem you are referring to on the trunk. We are still waiting to see if it gets checked into the 1.4 branch. Bug 224749 added as a dependency, this is a new problem on the trunk which will prevent this patch from working. (It doesn't exist on the 1.4 branch) I won't have time to update the patch with suggestions from other's comments for a couple of weeks. If I could pass it on to someone else for the time being. Maybe someone could volunteer on the list so we don't duplicate efforts? Wyllys? Daniel? Someone else?
Depends on: 224749
If you agree I'd place the code on the negotiateauth.mozdev.org site. Now I'm trying to make it work with Heimdal and I believe I'll be able to spend some time on it in the future too.
It sounds like there are several possible paths to get SPNEGO functionality - The MS code, SAMBA, Heimdal, etc. I should add that a full blown implementation is probably going to be in a future Solaris release ( I cannot be more specific than that). Im not sure of the best way to configure the code so that it will succeed on various platforms. I think it should be left generic so that the local GSSAPI configuration dictates what is available and the browser itself doesnt care where SPNEGO comes from. It should be noted that SPNEGO is *NOT* required for MS interoperability to succeed [ See comment #37]. Its really not necessary to implement SPNEGO, as long as Kerberos is available, the browser can just send GSSAPI/KRB5 tokens and MS IIS will accept them as a response to the "Negotiate" authentication request. The code I submitted (based on Daniel's code) has a check to see if the system has support for SPNEGO, if so it uses it, otherwise it just used kerberos. This eliminates the need for any SPNEGO dependencies.
I'd also like to mention that current version of the kerberos module for Apache (available from modauthkerb.sf.net) also doesn't require the use of SPNEGO and it's able to work with both SPNEGO and plain Krb5 GSSAPI tokens. So SPNEGO is not required for support of Kerberos in HTTP authentication (I'm not mentioning situations where more GSS-API methods will be required)
>The code I submitted (based on Daniel's code) has a check to see if the system >has support for SPNEGO, if so it uses it, otherwise it just used kerberos. This >eliminates the need for any SPNEGO dependencies. Does it only use Kerberos or does it let gssapi select what to use? One problem I had when doing my patches was that Sun by default do not use Kerberos as default mechanism. This resulted in som diffie_hellman mech was used instead resulting in not being able to do SPNEGO in one query/response. And without SPNEGO Kerberos would never be tried. While something else than Kerberos might be used in the future, both SPNEGO and without should start with Kerberos to avoid failures or multiple query/response to find correct mech. The good thing with Kerberos is that just like when using authentication Basic, it can be done with just one query and one response over the net.
In Solaris 9 and future releases, Kerberos will be the default mechanism. In earlier releases, DH was the default *until* the unbundled SEAM package was installed in which case kerberos should have been made the default. Local administrative policy dictates the order of the mechanisms that gss will use in Solaris through the editing of the /etc/gss/mech configuration file. The gss initiator *may* specify that it wants Kerberos specifically (instead of using GSS_C_NULL_OID, specify the correct Kerberos OID structure in the init_sec_context call) if SPNEGO is not available in which case the system will find Kerberos even if it is not configured as the default mechanism. I agree, if SPNEGO is not available, the client should try to specify Kerberos explicitly instead of letting the system choose the default, thats an easy fix, though.
In reply to comment 68: Any changes I made to your patch are to be covered under normal mozilla licensing so do with it as you please. I'm assuming your patch and everyone elses suggested changes are also covered under normal licesensing. Someone let me know if that assumption is incorrect.
Which version of the patch is being considered? I am willing to make fixes to the patch I submitted, but I dont want to conflict with whatever code the maintainers are working from. Could someone post the code that is currently under consideration so that fixes can be made to "current" code ?
John Brezak (Microsoft) has just published an updated draft describing the HTTP-Negotiate protocol to the IETF Kerberos Working group. It does not appear to be any different from what was previously published, but at least the document is now current (as opposed to "expired"). http://www.ietf.org/internet-drafts/draft-brezak-kerberos-http-00.txt Also, can someone respond to my previous request for a pointer to the latest code so I can make the requested fixes?
Is the final patch above ("Moved into Extensions") going to be included as part of the next release or is someone waiting for additional changes of some sort? I downloaded the latest code via CVS and did not see any of this stuff included in the tree yet, so I'm curious as to the status.
Attached patch Updated code for extensions area (obsolete) — Splinter Review
This patch updates various autoconf files (configure.in and config/autoconf.mk.in) to detect GSSAPI installations better (Solaris, MIT, and Heimdal). Also, it includes the latest code from Daniel. Patches "extensions" area so that "negotiateauth" extension module is created.
Attachment #134485 - Attachment is obsolete: true
if the latest patch is ready for review, then please let me know, and i will take a look. at this point, it seems unlikely that it will make 1.6 final. reassigning to myself for eventual checkin.
Assignee: ssaux → darin
Component: Client Library → Networking
Product: PSM → Browser
Target Milestone: Future → mozilla1.7alpha
Version: 2.4 → Trunk
Go ahead and review it, I want to move this along and be done with it:)
Attachment #136299 - Flags: review?(darin)
What concerns the patch to be reviewed, I'm suggesting to replace function nsGssapiSessionState::nsGssapiSessionState() with: nsGssapiSessionState::nsGssapiSessionState() { OM_uint32 minstat, majstat; gss_buffer_desc buffer; gss_OID_set mech_set; int mech_found = 0; unsigned int i; gss_OID item; mCtx = GSS_C_NO_CONTEXT; mech_oid = &gss_krb5_mech_oid_desc; // // Now, look at the list of supported mechanisms, // if SPNEGO is found, then use it. // Otherwise, set the desired mechanism to krb5 // // Using Kerberos directly (instead of negotiating // with SPNEGO) may work in some cases depending // on how smart the server side is. // majstat = gss_indicate_mechs(&minstat, &mech_set); if (GSS_ERROR(majstat)) return; for (i=0; i<mech_set->count; i++) { item = &mech_set->elements[i]; if (item->length == gss_spnego_mech_oid_desc.length && !memcmp(item->elements, gss_spnego_mech_oid_desc.elements, item->length)) { mech_oid = &gss_spnego_mech_oid_desc; break; } } (void) gss_release_oid_set(&minstat, &mech_set); } add lines static gss_OID_desc gss_krb5_mech_oid_desc = {9, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02"}; static gss_OID_desc gss_spnego_mech_oid_desc = {6, (void *)"\x2b\x06\x01\x05\x05\x02"}; to the beginining the file and remove all occurences of the gss_release_oid() call. These changes removes dependances on functions which are not part of the GSS-API specs (and set directly krb5 mechanism if spnego is not found, as mentioned in comment #72. I'd also suggest to replace the nsCString types with EmbedString to allow the component to build with standalone gecko SDK.
err, you should not put stuff that can fail into a constructor. instead, add a ::Init method, you can get xpcom to automatically call that when your component is instantiated.
I suppose you mean the GSS_ERROR(majstat) checking result of gss_indicate_mechs() in nsGssapiSessionState::nsGssapiSessionState(). But failure of this call doesn't influence the initialization of the object, it only causes that the krb5 mechanism will be used by the component and no other mechanisms (especialy SPNEGO) will be looked for in the system.
I'm OK with the suggested change. Daniel is correct, the failure of the gss_indicate_mechs call does not cause the whole instantiation to fail, it just causes the mech_oid to default to Kerberos instead of continue looking for SPNEGO, which is acceptable.
If some actually has an RFC compliant implementation of SPNEGO for Mozilla to pick up, will it even work with Microsoft’s implementation? If not we should always just use GSS Kerberos.
A "future release" of Solaris may very well have an RFC-compliant SPNEGO mechanism. It "may" also allow for a configurable flag (in the gss config file) that turns it into a non-RFC-compliant-but-Microsoft-compatible SPNEGO implementation. A strictly RFC compliant SPNEGO mech will NOT interoperate with Microsoft's current SSPI-Negotiate mechanism. However, they (Microsoft) are aware of the problem(s) and may choose to correct it in a future release. Since its easy enough to support SPNEGO if its available, I think the code should be left in place. In the future, when new GSS mechanisms (SPKM, LIPKEY) become available, negotiation of the security mech may actually become a significant choice (or maybe not).
ah - yeah, this block: if (GSS_ERROR(majstat)) return; was indeed what I was referring to. Thanks for the explanation.
In comment 62 and comment 64 we discussed the problems with the way this code implements mutual auth. If the server doesn't send a negotiate token, Mozilla won't try and process the mutual auth response but will proceed anyway. I suggest that mutual auth be moved out of this patch and another bug opened on how to address mutual auth in a generic way that all authentication plugins can take advantage of. If possible there should never be mechanism specific code outside of the plugin. Reiterating my comment 54: In addition, SPNEGO is susceptible to Man in the Middle attacks even with mutual auth (at least for the max clock skew of the Init-sec-context blob). Mutual auth just ensures that the server is out there, not that the traffic is not being captured and replayed by a third party in the middle. Since the user is never prompted he/she never gets to make the call whether they trust the remote site enough to send their credentials to it, it just happens automatically and transparently. If the site is not legitimate it's too late. Actually prompting the user would defeat the purpose of this patch, so their should be a pref where the user can specify to which protocols, servers, or domains he trusts enough to auto send his tokens. This is basically the model Microsoft has used to keep Negotiate in the Local Intranet Zone. Pref Example user_pref("browser.negotiateauth.urls","https://*.somesite.com;https://*.someothersite.com") For Kerberos at least, most sites don't have a huge number of shared keys with foreign KDC's, so usually they will only be able to get tickets for one, or at least a small set of machines in different DNS domains. So for Kerberos just having a pref for requiring SSL, would be a good start because the acceptable machine list is implicit to the protocol. The problem is that in practice most users will just turn it off, so something like the list of trusted DNS domains is needed in the long run. You will probably at least want to add IDENITY_IGNORED to your set of flags. You may also want CONNECTION_BASED if you want to make it exactly like Microsoft's. Also you could add REUSABLE_CHALLENGE, but I'm not sure if it's appropriate or not, it may break if SPNEGO is ever used for something besides Kerberos.
Im inclined to agree about removing the mutual authentication option until we can work out the details of how to correctly handle it. I'll go ahead and update the patch to add the flags as you suggest as well. I'll also remove the code from nsHttpChannel.cpp as its only needed when mutual auth is requested, for non-mutual auth, the context initiation should complete in a single round-trip.
Regarding comment 87: Of what I could understand, we should not need to have things like trusted zones or trusted domains when using Kerberos. There will be no tokens to send unless the remote host is in the same Kerberos domain as the one I have logged in to, or the other domain has a trust with my Kerberos domain. You cannot get a ticket to send unless you have an account in the remote domain and can get a ticket for that domain. It may be problems with SPNEGO, but not with Kerberos. Or have I missunderstood Kerberos? And if I only can get a ticket to send to a server in a domain my Kerberos domain trusts, then there is no need of having a preference defining which domain to trust (or require them to be SSL as Kerberos is already encrypted).
Attached patch Updated patch (obsolete) — Splinter Review
Updated with suggestions from Comment #87 and #88. - MUTUAL_AUTHENTICATION flag is no longer used - Changes to nsHttpChannel.cpp removed, all changes are isolated in the extension - IDENTITY_IGNORE | CONNECTION_BASED flags added to authentication handler. - Cleaned up nsGssapiSessionState::nsGssapiSessionState() as suggested in comment #80
Attachment #136299 - Attachment is obsolete: true
You are correct about domains and machines you can access are implicit to the kerberos protocol. The problem is will you have to go through an untrusted domain to get to your trusted one? Mozilla currently has no way to make that assumption. Are you sitting in a coffee shop with your laptop, in which case there is no reason to trust DNS, the proxy server or anything else (maybe its unlikely that you'll even be able to get kerberos credentials in such an environment, but I don't really want to base security on that assumption) You will likely want to use SSL even to a site you considered trusted if you have to go through an untrused network to get there. To refine what I suggested before, the really only important part of the pref I suggested is that you can specifiy which domains, are local and which are remote (or which ones I really trust and which ones I don't). So if DNS siteA is my homesite, I may decide MITM attacks are unlikely, so in that case I really don't need SSL, but but DNS SiteB, which is a site I have a keberos shared key with is at another university. To get to siteB my connection must traverse the internet, where MITM attacks are more likely, then I would want SSL. Another thing is that kerberos shared keys should not imply that I trust the networks of KDC's from other realms. My university could share keys with every University in the United States, that does not mean I trust the networks of each of these universities, or even that they trust me to log into any of their machines. It's just that I now have a way of asserting my identity to them. So I should be able to decide on a case by case basis if MITM middle attacks are a viable threat, and so require SSL, or not require SSL. But in the general case, I would be happy if we could just require it or not require it for everything, but I'm sure most people would just use the option to not require SSL because they would assume that SPNEGO will give them many of the same protections as SSL, which is not true. >Kerberos is already encrypted Also note, that SPNEGO is for authentication only, the shared keys transferred back and forth during the gss-init-sec-context and gss-accept-sec-context dance are never used again. Since the shared keys are not used to protect the channel, there are very few of the normal kerberbos or SSL protections. There are no Integrity, privacy, or Man-in-the-middle protections. You need to add SSL to the mix if you want those.
Attachment #136361 - Flags: review?(darin)
Having an option to specify trusted domains would be nice. Microsoft added it for good reason. I think that the whole concept of using Kerberos and HTTP together was only ever intended for intranets and not necessarily for going over the internet itself. SSL protection is highly desirable in either case, though not a requirement for successful authentication (obviously). This feature is important to advance the adoption of mozilla as a standard desktop browser for intranets in companies where they have a Kerberos infrastructure and want to extend SSO to their internal websites. Currently, only IE is capable of doing secure web logins this way. Just to clarify, SPNEGO is a "pseudo-mechanism" that allows servers and clients to negotiate a common security mechanism when both sides are not aware of the others capabilities. The security of the authentication is dependent upon the security of the mechanism that is chosen, SPNEGO itself does not offer any security beyond what is available in the security mechanisms chosen. Kerberos does provide replay protection, though, so Im not sure if a replay attack by a MITM is possible when Kerberos is the mech that is negotiated.
>>Kerberos does provide replay protection, though, so Im not sure if a replay attack by a MITM is possible when Kerberos is the mech that is negotiated. It can if the advesary owns the proxy server or DNS you are using. They control what information runs through them (with DNS I mean they redirect your traffic to one of their own machines), they will just interecpt all of your communications and not send them on, at least until they are done altering them. They will just steal info from the WWW-Authenticate header and reform the data portion to their liking. They can even do the same with the response, you will get a mutual authenticate token, but again they get to read and change the reply before they send it to you. Replay caches have very little value in this senario. Replay caches are useful if you don't go through a compromised proxy and DNS is legit, then its just a race to see who can get their data to the webserver first. The orginal version of the data or their altered version. At least in this senario web server logs may point to something funny going on.
I don't like this part of the patch, gss_str_to_oid was removed from gssapiv2 + // Create an OID for SPNEGO mechanism. + // + buffer.value = (char *)"{ 1 3 6 1 5 5 2 }"; + buffer.length = strlen((char *)buffer.value); +#ifdef HAVE_GSS_STR_TO_OID + majstat = gss_str_to_oid(&minstat, &buffer, &mech_oid); +#else + majstat = 10000; /* XXX simulate error */ +#endif + if (majstat == GSS_S_COMPLETE) { Why not just replace it with static gss_OID_desc mech_oid_desc = {6, (void *)"\x2b\x06\x01\x05\x05\x02"}; gss_OID mech_oid = &mech_oid_desc; ? As a comment to #85, Heimdal (current not released yet) includes a SPENGO that interrops with MS SPENGO (that is used in IIS). There is a test http client (that is just built, not installed) that include with heimdal distribution that tests this. The goal is to get a rfc compliant SPNEGO.
In response to Comment #94 - the gss_str_to_oid stuff was removed in the patch that I posted this morning. In response to Comment #93: I believe the scenario being discussed is where a DNS server is corrupted to direct kerberos traffic to an "evil" KDC server that issues bogus tickets. This is a general problem for Kerberos, but Im not sure that scenario you are describing is valid. Assuming that the HTTP server has a local keytab with a service key stored that came from the original (good) KDC, it will reject the tickets that were modified by the MITM because the encrypted authenticator part of the bogus ticket will not be decryptable using the http servers real key. To be successful, the MITM would need to have access to the HTTP service key on the web server. IN that case, all is lost because the web server is already compromised. Anyway, its probably a discussion best taken off line, perhaps to the IETF krb5 WG list or the MIT developers list.
so the new patch is an improvement but I still think nsGssapiSessionState is broken, in the current state it will always select the krb5 mech shouldn't it look for SPNEGO - mech_oid = &gss_krb5_mech_oid_desc; + mech_oid = &gss_spengo_mech_oid_desc; and then when not found revert to let the gss implemetion guess if (!found) mech_oid = GSS_C_NO_OID; ? also the variable buffer in that function is unused
There is a problem with my loop that looks for SPNEGO. If SPNEGO is available, it should be used, otherwise, default to KRB5. KRB5 is the fallback default. I think its OK to set mech_oid = &gss_krb5_mech_oid_desc, as long as it switches to SPNEGO later if possible. If this fix is OK, I'll update the patch sometime next week: Fix: + // + // Now, look at the list of supported mechanisms, + // if SPNEGO is found, then use it. + // Otherwise, set the desired mechanism to + // GSS_C_NO_OID and let the system try to use + // the default mechanism. + // + // Using Kerberos directly (instead of negotiating + // with SPNEGO) may work in some cases depending + // on how smart the server side is. + // + majstat = gss_indicate_mechs(&minstat, &mech_set); + if (GSS_ERROR(majstat)) + return; + for (i=0; i<mech_set->count && !mech_found; i++) { + item = &mech_set->elements[i]; + if (item->length == gss_spnego_mech_oid_desc.length && + !memcmp(item->elements, gss_spnego_mech_oid_desc.elements, + item->length)) { + mech_found = 1; + mech_oid = &gss_spnego_mech_oid_desc; + break; + } + }
Not an evil KDC but an evil web server posing as the end web server but really just altering and relaying the traffic. All tickets are valid. There is no cryptographic connection between the auth tokens and the data being sent, you can switch out the data portion without trouble. But my point is that we need at least SSL and something like this added to ChallengeReceived or GenerateCredentials would do it. You could do the following to get the pref nsCOMPtr<nsIPref> prefs(do_GetService(NS_PREF_CONTRACTID, &rv)); prefs->GetBoolPref("network.http.auth.spnego.requireSSL", &requireSSL) And the following to test if its SSL rv = channel->GetURI(getter_AddRefs(uri)); uri->SchemeIs("https", &usingSSL); Also we probably don't want to send delegated credentials to everything. Most people will not ever require it, but some will. There should be a pref for that as well. The biggest problem with delegating constantly (besides security) is that MIT kerberos will hit the KDC with every request of the web server to get a cred to delegate (these are not generally cached). So with a page with 4 images, a user will hit the KDC 5 times (the html page + the 4 images) and get a new TGT with each request.
I am not sure the right way is to have a pref like: user_pref("browser.negotiateauth.urls","https://*.somesite.com;https://*.someothersite.com") because it is not SPNEGO that is the problem. Instead it is the authentication mechanism. Would it not be better if the user could for each authentication mechanism, like Kerberos, NTLM, "basic",..., define what should be applied for it? I see that MS IE have things like: enable, disable, prompt. I would like to be able for each mechanism set: disabled, enabled for all, enabled for a restricted case, or prompted for ok. This way I could define, for example, that Kerberos is ok in domain xxx.yy, NTLM is never OK and "basic" is allowed in domain xxx.yy over SSL. The general user will not understand negotiate but might better understand the mechanism names. Also, as allowing negotiate would allow any mechanism negotiated to be used, I really could not allow negoatiate to be used at all unless I know that the negotiate protocol will never negotiate an unsafe mechanism. When you use SPNEGO you need to be able to tell it which mechanisms it is allowed to negotiate (and you cannot do this in a general global configuration file as it depends on who you negotiate with).
I've updated the patch to reflect the changes mentioned in comment #97.
Attachment #136361 - Attachment is obsolete: true
Comment on attachment 136869 [details] [diff] [review] Updated to reflect changes in mech_oid selection Any chance we can get this fixed in 1.6B instead of waiting another 3 or 4 months for the next release?
Attachment #136869 - Flags: review?(darin)
+ // + // Now, look at the list of supported mechanisms, + // if SPNEGO is found, then use it. + // Otherwise, set the desired mechanism to + // GSS_C_NO_OID and let the system try to use + // the default mechanism. + // + // Using Kerberos directly (instead of negotiating + // with SPNEGO) may work in some cases depending + // on how smart the server side is. + // the comment is not correct, GSS_C_NO_OID isn't used but the kerberos oid directly
In Reply to comment 99: Yes, most of my security assumptions were based on SPNEGO negotiating Kerberos, and that may not be the case. It does make sense, to split up the authentication protocols for SPNEGO under different preferences, the problem is I don't know if that is possible in any sort of cross implementation manner. Is there a standard API for SPNEGO that at the application level you can specify what can be negotiated or is all of that buried in SPNEGO or OS Specific config files? Spnego should not be enabled by default if we don't know what a user the user's machine has been configured to support, what if for whatever reason, sending a cleartext password was what was negotiated, that would be terrible for security. Microsoft mixed NTLM and Kerberos for negotiate, I personally would not want to treat them the same, or put them at the same level of trust for auto-sending authentication tokens without user input. So if we decided to use SPNEGO, there should be a way to limit to only to a particular protocol and DNS space (User configured for his/her Intranet DNS space) and disabled by default, till user decides he wants/trusts it based on an informed decision on how SPNEGO on his system is configured. If we just support Kerberos, the same is true, but it should also be turned off be default or at least require SSL, be default until a user tweaks some config setting and tells it otherwise. Also does anyone have any links that point other Kerberos web standards besides the Microsoft's draft? NCSA's httpd seemed to support this, but I've only found sketchy details. http://hoohoo.ncsa.uiuc.edu/docs/tutorials/howto/kerberos.html
Because SPNEGO is a GSSAPI mechanism, the API should be the GSS-API (v2), it should definitely NOT be a separate API. Defining what mechanisms SPNEGO will negotiate is a system-wide policy decision, it should probably not be made on an application-by-application basis. Though, one can see why it might be desirable to do so in some cases, I would tend towards leaving that as an administrator's policy decision. SPNEGO will negotiate whatever the system is configured to offer in union with whatever credentials are available for that user. No sense offering a mechanism for which the user cannot acquire credentials. Also, see: http://www.ietf.org/internet-drafts/draft-nystrom-http-sasl-09.txt for an alternate HTTP authentication method that is more popular within the IETF security circles. The SPNEGO method proposed by Microsoft is an "individual submission" and is not to be treated as a standard of any sort, its merely a submission that describes an existing technology, it has not been adopted by any working groups for development into a "standard". In fact, the KRB5, GSSAPI, and HTTP people within the IETF are not very enthusiastic about the MS implementation. Unfortunately, its already out there and now people are wanting to use it. there is
I've updated 'nsHttpGssapiAuth.cpp' with a couple of minor fixes: 1 - don't call gss_release_oid on 'mech_oid' because mech_oid is no longer dynamically allocated. 2 - fixed the mech selection loop to select SPNEGO if its found (as was originally intended). As written in the original patch it was not actually selecting SPNEGO if available. The default is still to choose KRB5, only use SPNEGO if the system says its available.
Is this extension going to be reviewed for 1.7?
this extension is going to be reviewed for 1.7. it is on my plate to get it into the tree.
Attachment #136299 - Flags: review?(darin)
Attachment #136361 - Flags: review?(darin)
>AC_CHECK_HEADERS(gssapi/gssapi.h, [GSSAPI_INCLUDES="-I/usr/include/gssapi"]) GSSAPI=1 i know this line is only evaluated in the solaris builds, but isn't it possible that gssapi/gssapi.h might be under /usr/local/include instead of /usr/include? i ask because it seems like AC_CHECK_HEADER is going to check more than just /usr/include. > if test "$GSSAPI" = "1" ; then > AC_DEFINE(GSSAPI) > MOZ_EXTENSIONS="$MOZ_EXTENSIONS negotiateauth" > fi i noticed that you are unconditionally building the negotiateauth extension if GSSAPI exists. shouldn't it be the case that you only check for GSSAPI if the negotiateauth extension has been listed as an extension to be built? (i.e., via configure --enable-extensions=default,negotiateauth)... though we probably do want to make negotiateauth be built by default. the point is that someone could also type "configure --enable-extensions=default,-negotiateauth" to disable negotiateauth. we should not override that. the patch includes some files that should not be there: nsIHttpAuthenticator.idl nsIHttpAuthenticator.h Makefile please let me know if you have included modifications to these files. i'm guessing that isn't the case ;) >-. ${srcdir}/config/chrome-versions.sh >-AC_SUBST(MOZILLA_LOCALE_VERSION) >-AC_SUBST(MOZILLA_REGION_VERSION) i see these lines being removed from configure.in. i presume that this wasn't meant to be included in the patch.
In Solaris, we very much want to use the standard GSSAPI header and library bundled with the OS (under /usr/include) and not someone's alternate version in /usr/local. If the standard gssapi headers and library is not found, it should default to looking in /usr/local. But for 99% of the Solaris population (Solaris 2.6 and later), the Solaris GSSAPI (/usr/include/gssapi/gssapi.h and /usr/lib/libgss.so.1) should be preferred and highly encouraged. Solaris has the only GSSAPI library that is actually "pluggable" and will dynamically load mechanisms other than KRB5. MIT KRB5 includes a GSSAPI library, but it really only supports KRB5. Future Solaris versions may include an SPNEGO plugin as well as others, so I'd like Solaris users to use the Solaris code wherever possible. I agree with your 2nd point - we probably do want negotiateauth to be on by default, but it certainly should be de-configurable as well. Finally - I did not make changes to those files you listed (they should not have been part of the patch) and I did not mean to include that last bit of change to configure.in, you can disregard that stuff. Its probably a "diff" **** from when I generated the patch. thanks for looking at this stuff...
Comment on attachment 137883 [details] [diff] [review] Updated nsHttpGssapiAuth.cpp file >/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ >/* The contents of this file are subject to the Mozilla Public License Version > * 1.1 (the "License"); you may not use this file except in compliance with > * the License. You may obtain a copy of the License at > * http://www.mozilla.org/MPL/ > * > * Software distributed under the License is distributed on an "AS IS" basis, > * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License > * for the specific language governing rights and limitations under the > * License. > * > * The Original Code is the Negotiateauth > * > * The Initial Developer of the Original Code is Daniel Kouril. > * Portions created by the Initial Developer are Copyright (C) 2003 > * the Initial Developer. All Rights Reserved. > * > * Contributor(s): > * Daniel Kouril <kouril@ics.muni.cz> (original author) > * Wyllys Ingersoll <wyllys.ingersoll@sun.com> > * Christopher Nebergall <cneberg@sandia.gov> > */ have you considered licensing this file under the new MPL/GPL/LGPL tri-license? there is an effort underway to make most of mozilla fall under that license. see http://www.mozilla.org/MPL/relicensing-faq.html for more info. >/* this #define must run before prlog.h is included */ >#define FORCE_PR_LOG 1 are you sure you want to enable logging in release builds? typically, you want to do this: #ifdef MOZ_LOGGING #define FORCE_PR_LOG #endif that way "configure --disable-logging" will work :-) >#if defined(PR_LOGGING) > > PRLogModuleInfo *gHttpLog = nsnull; > static PRLogModuleInfo* gNegotiateLog = nsnull; > >#endif declaring "gHttpLog" doesn't make any sense here. >class nsGssapiSessionState : public nsISupports >{ >public: > NS_DECL_ISUPPORTS > > nsGssapiSessionState(); > virtual ~nsGssapiSessionState() { destructor does not need to be virtual. instances of nsGssapiSessionState are only ever deleted via the Release method which is defined on this class so it does not need a virtual destructor. > NS_IMETHOD Reset() { this method does not need to be virtual. NS_IMETHOD declares it to be virtual. better to just declare this method like so: nsresult Reset() hmm... though it looks like it never fails, so why not just return |void|? yes, in fact you never check the return value, so void Reset() would be best :) >nsHttpGssapiAuth::nsHttpGssapiAuth() >{ > NS_INIT_ISUPPORTS(); NS_INIT_ISUPPORTS is no longer needed in Mozilla code. it is defined as an empty macro now. >nsHttpGssapiAuth::~nsHttpGssapiAuth() >{ >} define this destructor inline... and be sure to NOT declare it virtual for the reasons i gave above for nsGssapiSessionState. > if (!session) { > session = new nsGssapiSessionState(); > if (!session) > return(NS_ERROR_OUT_OF_MEMORY); nit: looks like a tab character crept in here. please de-tab source files. perhaps this method should be wrapped in a #ifdef MOZ_LOGGING block. >void >nsHttpGssapiAuth::LogGssError(OM_uint32 maj_stat, OM_uint32 min_stat, char *prefix) >{ ... > // LOG(("%s", ToNewCString(error))); > LOG(("%s\n", error.get())); >} remove the ToNewCString comment. >nsHttpGssapiAuth::GenerateCredentials(nsIHttpChannel *httpChannel, ... > NS_ENSURE_ARG_POINTER(creds); no need for a runtime check here. a debug assertion is sufficient. "garbage in equals garbage out" as far as i'm concerned. NS_ASSERTION(creds, "null param"); > major_status = gss_import_name(&minor_status, > &input_token, >#ifdef HAVE_GSS_C_NT_HOSTBASED_SERVICE > GSS_C_NT_HOSTBASED_SERVICE, >#else > gss_nt_service_name, >#endif > &server); nit: indent gss_nt_service_name by one more space ;) > input_token.value = 0; > input_token.length = 0; > if (GSS_ERROR(major_status)) { > LogGssError(major_status, minor_status, > (char *)"gss_import_name() failed"); > return NS_ERROR_FAILURE; > } i would recomment defined LogGssError like this: #ifdef MOZ_LOGGING void nsHttpGssapiAuth::LogGssError(OM_uint32 maj_stat, OM_uint32 min_stat, char *prefix) { ... } #else #define LogGssError(x,y,z) #endif that way you don't have to add #ifdef MOZ_LOGGING where ever LogGssError is called. > if (len > strlen(NEGOTIATE_AUTH)) { > challenge += strlen(NEGOTIATE_AUTH); most compilers will optimize away strlen of a string literal, but it might be better to use sizeof to help the compiler. how about defining a macro like this: #define NEGOTIATE_AUTH_LEN (sizeof(NEGOTIATE_AUTH)-1) > input_token.length = (len * 3)/4; > input_token.value = malloc(input_token.length); > if (!input_token.value) > return (NS_ERROR_OUT_OF_MEMORY); nit: fix indentation > if (PL_Base64Decode(challenge, len, > (char *) input_token.value) == 0) { > free(input_token.value); > return(NS_ERROR_UNEXPECTED); > } nit: fix indentation > (void) gss_release_name(&minor_status, &server); nit: i'm not a big fan of prefixing functions with (void) "when i choose not to store the return value"... in the case of this source file, the convention is only sometimes followed. seems to me that it would be better to keep things consistent. either always prefix with (void) or never prefix with void :-) > // allocate a buffer sizeof("Negotiate" + " " + b64output_token + "\0") > *creds = (char *) malloc (strlen(NEGOTIATE_AUTH) + 1 + strlen(encoded_token) + 1); since this value is being passed out of your module, you should allocate memory using nsMemory::Alloc instead. this last code block seems like it could be simplified to this: nsresult rv = NS_ERROR_OUT_OF_MEMORY; char *encoded_token = PL_Base64Encode((char *)output_token.value, output_token.length, nsnull); if (!encoded_token) goto end; LOG(("Sending a token of length %d\n", output_token.length)); // allocate a buffer sizeof("Negotiate" + " " + b64output_token + "\0") *creds = (char *) nsMemory::Alloc(NEGOTIATE_AUTH_LEN + 1 + strlen(encoded_token) + 1); if (!*creds) goto end; sprintf(*creds, "%s %s", NEGOTIATE_AUTH, encoded_token); rv = NS_OK; end: if (encoded_token) PR_Free(encoded_token); (void) gss_release_buffer(&minor_status, &output_token); (void) gss_release_name(&minor_status, &server); LOG(("returning the call")); return rv; } though i'm not a huge fan of using goto statements, in this case i think using a goto is reasonable since it keeps all your cleanup code in one place.
Attachment #137883 - Flags: review-
>are you sure you want to enable logging in release builds? let me clarify that statement. mozilla.org's release builds currently define MOZ_LOGGING, but some folks may want to build trimmed down executables that do not define MOZ_LOGGING :-)
What about the security problems with the patch I discussed previously? 1. It should give the user the option of requiring or not requiring SSL before to automatically sending their tokens to the server. This really should be a client side decision. I'm also hoping we default it requiring SSL, if a user actually understands enough about the pref to go look for it, then he's welcome to disable it. user_pref("network.http.auth.spnego.requireSSL", true). 2. If is possible that any other protocol besides kerberos will slip in because of the OS's ability to choose SPNEGO and negotiate a different possibly less secure protocol(NTLM?), the user should be able to define his trusted DNS (or IP) space. The security of the browser should not rely on the configuration of the OS it is running on. The default should probably be no trusted DNS or IP space. Example Configuration user_pref("browser.negotiateauth.urls","https://*.somesite.com;https://192.168.*") I volunteer to write this code, if necessary. Since Wyllys is the patch maintainer I won't move on this unless he approves, but I hope Darin will look at my suggestions before accepting the patch as is. I could, of couse, open new bugs on these later, but if possible we shouldn't have nightly builds floating around with inadequate security which could have been built in originally.
If Christopher wants to add the code to add those user_pref options, I think that would be great. They are good ideas, I just don't have the time to do the work right now and I don't want to delay the adoption of this extension even further. I don't consider them to be show-stopper problems, but rather as enhancements that can be fixed later (or now, if time permits). Regarding the code review comments, I will take a look at the code and update the patch accordingly. thanks...
Regarding the copyright issue - Daniel Kouril is the original author, so I'll defer to him regarding the copyright. I'm fine with using the new standard mozilla licensing as suggested.
(In reply to comment #113) > If Christopher wants to add the code to add those user_pref options, I think > that would be great. They are good ideas, I just don't have the time to > do the work right now and I don't want to delay the adoption of this > extension even further. I don't consider them to be show-stopper problems, > but rather as enhancements that can be fixed later (or now, if time permits). chris, if you can make these enhancements happen in a timely manner, then i'm all for including them. i confess that i don't understand all the details (yet) about what you were suggesting, but i agree that we shouldn't miss the opportunity to build a secure system from the start.
In comment 112: > I'm also hoping we default it requiring SSL, if a user > actually understands enough about the pref to go look for it, then he's > welcome to disable it. > user_pref("network.http.auth.spnego.requireSSL", true). > The default should probably be no trusted DNS or IP space. > user_pref("browser.negotiateauth.urls","https://*.somesite.com") The above is ok if there is a user interface to set this up. Otherwise I do not want the default to require SSL as we use this for our internal net and do not want to teach everybody how to hack prefs.js to get things to work. Is Kerberos in spnego unencrypted?
> Is Kerberos in spnego unencrypted? No, but the (http)data isn't bound to the spnego request, so if see a spnego request on the wire you can do a reply attack (if you can force the first session to be dropped) http-spnego really needs to be run over a secure transport
Attached is the updated patch file. I implemented the changes suggested by Darren in his review.
Attachment #136869 - Flags: review?(darin)
ok, a couple issues remain with this patch: 1) i don't see how it will support "configure --enable-extensions=default,-negotiateauth" in case i want to compile without negotiateauth extension. 2) need Daniel Kouril to agree to the MPL/GPL/LGPL tri-licensing. 3) need cneberg to complete the pref changes, etc. milestone 1.7 alpha is fast approaching. we can still land this during 1.7 beta, but it would be best to wrap things up quickly.
Wylls what OS/Kerberos combinations have you tried to compile Mozilla with after applying this patch? I can help test in Linux. I would like to get this option enabled in the nightly and release builds if at all possible. Pertinant Combinations (some neat to support and some are actually nightly build platforms) Default RH 7.3 Default install comes with dynamic libs for MIT 1.2.4 and puts them in /usr/lib/kerberos. I think that's the LINUX nightlies and releases are built on. Sun OS 8 + Sun Kerberos (What Version??) Sun OS 9 + Sun Kerberos (What Version??) Sun OS 8 + MIT Kerberos (what Version??) - Neat to have Sun OS 8 + MIT Kerberos (what Version??) - Neat to have Mac OS X.Something (What version?) / What version of Kerberos does it come with? This is also a nightly build platform.
(In reply to comment #120) > Wylls what OS/Kerberos combinations have you tried to compile Mozilla with after > applying this patch? I have compiled and tested this on MacOS X 1.3.1 (Panther) using an Apache web server with the latest mod_auth_kerb, which supports negotiate authentication.
I have tested the on the following: Solaris 9 with SEAM 1.0.3 (i.e. bundled Solaris Kerberos bits) - I did not test on older Solaris releases, but am confident that it would work just as well because GSSAPI has been part of Solaris since 2.7 (or maybe even 2.6, I would have to check). RedHat Linux with MIT KRB5 1.3.1 installed in /usr/local I don't have access to other systems (Mac OSX or other Linux distro's). The configure script changes I added include an option for specifying the location of the gssapi headers and libraries (--with-gssapi=PFX) to accomodate other locations, so I don't know that further changes are needed.
(In reply to comment #119) > ok, a couple issues remain with this patch: > > 1) i don't see how it will support "configure > --enable-extensions=default,-negotiateauth" in case i want to compile without > negotiateauth extension. > I will post a fix for the configure.in script to address this. > 2) need Daniel Kouril to agree to the MPL/GPL/LGPL tri-licensing. I emailed Daniel. If we don't hear from him in a reasonable time, I think we should go with the new tri-license and not let this be a show-stopper. > > 3) need cneberg to complete the pref changes, etc. Chris' changes are definitely good to have, but not necessary for moving forward. If he has an update in time for the next milestone, then thats great, but if not we should not delay getting the existing work included in its current state (code review pending, of course). > > milestone 1.7 alpha is fast approaching. we can still land this during 1.7 > beta, but it would be best to wrap things up quickly. Agreed.
> 2) need Daniel Kouril to agree to the MPL/GPL/LGPL tri-licensing. I have no problem with this change
Attached patch Complete updated patch (obsolete) — Splinter Review
Patch updated as follows: 1. copyright notice updated in all new files to reflect tri-license. 2. Modified configure.in to allow for the negotiateauth extension to be disabled as suggested by reviewer. 3. patch created against code downloaded from CVS last night.
Attachment #136869 - Attachment is obsolete: true
Attachment #137883 - Attachment is obsolete: true
Attachment #140107 - Attachment is obsolete: true
>RedHat Linux with MIT KRB5 1.3.1 installed in /usr/local Unless this compiles with MIT 1.2.4 I don't think it'll compile on the Linux tinder box. If necessary, we could up the requirements, but I'm sure 80% of redhat user's are using the MIT version that their linux distro came with. I'm working on the added features, I'll add them to the newly updated patch you wrote and re-submit it.
The GSS-API has not changed from 1.2.X to 1.3.X so compiling with MIT 1.2.4 should not be an issue. I did a build today on a RedHat system with 1.2.7 installed and it worked fine. 2 minor fixes to the most recently submitted patch were needed to get it to find the proper headers, though: [For new 'configure.in' script ] + dnl + dnl If GSSAPI libs were found, look for headers and try to + dnl determine if the GSS_C_NT_HOSTBASED_SERVICE value is + dnl defined. Older MIT releases did not define this correctly. + dnl + if test -n "$GSSAPI_LIBS"; then + AC_CHECK_HEADERS([gssapi/gssapi_generic.h]) ^^^^^^^ + AC_TRY_COMPILE([ #include <gssapi/gssapi.h> ], + [ gss_OID oid = GSS_C_NT_HOSTBASED_SERVICE; ], + [AC_DEFINE(HAVE_GSS_C_NT_HOSTBASED_SERVICE)],[]) + fi [Update to extensions/negotiateauth/nsHttpGssapiAuth.cpp ] + +#include <gssapi.h> +#ifdef HAVE_GSSAPI_GSSAPI_GENERIC_H ^^^^^^^ +#include <gssapi/gssapi_generic.h> +#endif +
Attached patch working version (obsolete) — Splinter Review
I've attached my untested version with with the pref changes and the changes to the config files mentioned in the previous comment. Everything compiles fine, but for some reason when I compiled against Kerberos 1.2.4 - I couldn't start the browser, even if I removed the libnegotiateauth.so file, the previous profile, and component.reg. I've tried on two seperate machines. I'll try again with 1.3.1 when I get a chance. The two prefs are listed below. They create themselves as empty strings if they aren't found. NegotiateAuth.delegationURIs NegotiateAuth.trustedURIs By default the module is not enabled, because I have no idea what, if anything would be a safe default because I have no idea what SPNEGO on that particular machine may support. Here are some examples of a valid pref, they can be whole domains, sub-domains, or even specific machines. You can prepend a protocol to any of these if you only want it to work for HTTP or HTTPS. Even putting a protocol by itself is valid if you want it to work for every site using that protocol (https for example). The list is semi-colon (;) seperated. NegotiateAuth.trustedURIs "www.somesite.com;https://wholedomain.com;https://" If you want it to work everywhere you can do this NegotiateAuth.trustedURIs "http://;https://" NegotiateAuth.delegationURIs works the same way but it is for a list of hosts, domains, etc that you trust enough to delegate to. This way we are not delgating to every web server. In order to delegate to a machine it of course must be matched up to something in both prefs.
Attached patch test version (obsolete) — Splinter Review
I've attached my untested version with with the pref changes and the changes to the config files mentioned in the previous comment. Everything compiles fine, but for some reason when I compiled against Kerberos 1.2.4 - I couldn't start the browser, even if I removed the libnegotiateauth.so file, the previous profile, and component.reg. I've tried on two seperate machines. I'll try again with 1.3.1 when I get a chance. The two prefs are listed below. They create themselves as empty strings if they aren't found. NegotiateAuth.delegationURIs NegotiateAuth.trustedURIs By default the module is not enabled, because I have no idea what, if anything would be a safe default because I have no idea what SPNEGO on that particular machine may support. Here are some examples of a valid pref, they can be whole domains, sub-domains, or even specific machines. You can prepend a protocol to any of these if you only want it to work for HTTP or HTTPS. Even putting a protocol by itself is valid if you want it to work for every site using that protocol (https for example). The list is semi-colon (;) seperated. NegotiateAuth.trustedURIs "www.somesite.com;https://wholedomain.com;https://" If you want it to work everywhere you can do this NegotiateAuth.trustedURIs "http://;https://" NegotiateAuth.delegationURIs works the same way but it is for a list of hosts, domains, etc that you trust enough to delegate to. This way we are not delgating to every web server. In order to delegate to a machine it of course must be matched up to something in both prefs.
I've been having trouble with recent builds (RH Linux), they build fine but the browser never starts. I don't think its related to this patch, though. The same code compiled and worked fine in Solaris x86, fails to start in Linux. Regarding the new prefs, just to be sure I understand: NegotiateAuth.delegationURIs == list of URI patterns. - if the URI matches this list, then the Delgation flag is enabled thus making it possible for the users creds to be forwarded if possible. NegotiateAuth.trustedURIs == list of URI patterns - If the URI matches this list, Negotiation is allowed to proceed. Is this correct? If so, then the default value for this list should be such that ALL URIs match and are allowed to proceed with negotiation. Users should be encouraged to tighten this control at their discretion, but initially it should not be restricted. Looking at the code submitted, it looks like if this pref is empty, then nsHttpGssapiAuth::ChallengeReceived is always going to return NS_ERROR_FAILURE because 'match' will return FALSE and the negotiation will not proceed. The default value for this should be such that all HTTP and HTTPS URIs match and are allowed to proceed with negotiation. I think the default should be: NegotiateAuth.trustedURIs="http://;https://" Someone really needs to test this latest bit pretty soon. I don't have a Windows server that uses Auth-Negotiate handy anymore (it was recently decommissioned), but I hope to get another one up and running soon.
(In reply to comment #130) >I've been having trouble with recent builds (RH Linux), they build fine but the >browser never starts. I don't think its related to this patch, though. The >same code compiled and worked fine in Solaris x86, fails to start in Linux. I tried with the nightly source tarball from yesterday and the official Mozilla 1.6 source, but I'll try again. > Regarding the new prefs, just to be sure I understand: > > NegotiateAuth.delegationURIs == list of URI patterns. > - if the URI matches this list, then the Delgation flag is enabled > thus making it possible for the users creds to be forwarded if > possible. Yes > NegotiateAuth.trustedURIs == list of URI patterns > - If the URI matches this list, Negotiation is allowed to proceed. > Is this correct? Yes > If so, then the default value for this list should be such that > ALL URIs match and are allowed to proceed with negotiation. > Users should be encouraged to tighten this control at their > discretion, but initially it should not be restricted. You always need to default to secure. Only a small percent of people will ever find this pref so unless the default is a secure configuration, it will almost never be changed. Since this patch includes SPNEGO support we have no idea what protocol's it may be autosending without the user's consent. There is no way to make an informed decision about the security impact of doing what you suggest. If enabling SPNEGO was a pref but Kerberos was the default, we could make an informed decision about the protocol because we actually know something about it, but SPNEGO is a big unknown. For example if the default was kerberos and not SPNEGO. I would feel more comfortable defaulting to "https://". I understand my suggestions will limit the visiblity of the plugin, but I'm uncertain how else to secure it. Suggestions? > Someone really needs to test this latest bit pretty soon. I don't have > a Windows server that uses Auth-Negotiate handy anymore (it was > recently decommissioned), but I hope to get another one up and > running soon. I should be able to test everything on Monday.
It's a wonderful idea to create the world's most secure system possible. I assume therefore that you will include in this patch, a default that disables basic authentication too? In all seriousness, I get worried when I see good patches like this (which will provide massive gains in system security and interopability) pushed to one side because they are not infinitly secure. The problem is, if the system is not using SPNEGO, then what are they using? SPNEGO is indeed a DOG - schemes like SASL at least have a flags system for how much protection each mech provides, and allows the admin to set 'nothing that exposes a plaintext pw' or similar flags. However, please do not let that get in the way of the widespread useability of this system, particularly in the corperate environment. Andrew Bartlett Samba Team
The middle ground solution to our dicussions is to only have it work automatically for the Intranet. The problem is there is no gui, or functions in Mozilla that will give us this. It is a security zones discussion and it belongs in bug 169106. Also, no one has listed what protocols they are going to support in SPNEGO, MS choose Kerberos and NTLM. I assume for compatiblity reasons someone else will choose this combination as well. Up to this point mozilla.org has choosen NOT to enable autosending of NTLM tokens without user input. Discussions on why we should or shouldn't support autosending NTLM tokens is Bug 231529. I don't even know what other protocol's people may want to support in SPNEGO because we are not using a Mozilla implementation, so I'm assuming NTLM support in SPNEGO is probably one of the least security painful protocols people will implement, but the list might be worse. The problem with SPNEGO is we need to limit the use of the protocol being autosent to the most security senstive protocol that it can negotiate and there is no way to know what that is. Only the user is qualified to decide this, not us.
Depends on: 169106
SPNEGO only negotiates available GSSAPI protocols. I don't know of any GSSAPI modules that do NTLM (except for the Microsoft SSPI, obviously). I think we have a philosophical difference in opinion as to who governs the security policy on the system. IMO, the administrator sets the security policy for the system and this includes configuring what GSSAPI protocols are available for negotiation via SPNEGO. I do not believe this should be a user-level decision, as most users will opt for the path of least resistance, which usually means disabling any hint of security because it usually involves an extra few keystrokes. Anyway, I think much of this debate is philosophical. At this time, Kerberos is the predominant GSSAPI security mechanism available on most unix platforms. SPNEGO is available on some, but even so, it usually just presents Kerberos as the only negotiable mechanism. So, at this time, I don't think its worth the time and effort to configure a new 'pref' to allow for tweaking of the SPNEGO mechanisms to be negotiated. Leave the patch as it currently stands - it presents SPNEGO if possible, else it defaults to KRB5. NTLM is not an issue unless someone can point to a GSSAPI-NTLM module that is supported on a platform that also supports SPNEGO and KRB5. The mechanisms that SPNEGO presents should be configured external to mozilla in a manner similar to however the system configures its GSSAPI offerings (example: See the /etc/gss/mech file in Solaris). SPNEGO and GSSAPI are not intrinsically tied to mozilla, obviously, so the browser should not break the administration model for those protocols by allowing another path for configuring them beyond what the OS itself already offers. I strongly dislike the "TrustedURIs" preference if it is going to default to basically disabling the whole extension. Is important to keep an eye on the ball here, which is to give Mozilla equal footing with IE in terms of supported authentication mechanisms, and, most importantly, bringing REAL single-sign-on capability for web browsing to the Unix world. Limiting this ability by overengineering security at this point is not going to help anyone. Im in favor of TrustedURIs if it defaults to being wide-open, as it currently is in IE. Default support for the Intranet is also acceptable to me since I believe that primary function of this method is for intranet usage anyway and less-so on the intERnet. SSO for internet usually involves something more complicated like Passport. I really want to wrap this up and see it appear in an actual release, I think we are close if we can agree on these final details and get someone to test Chris' latest additions.
>I'm in favor of TrustedURIs if it defaults to being wide-open, as it currently is in IE. IE defaults to the Intranet, they choose to not leave it wide open. If a site is not in the intranet zone, IE prompts the user with a password dialog in response to Negotiate (instead of continuing to auto-send user tokens without user input, which is what we are dicussing here.) This dialog is interesting, it is not for Basic (it won't fall below Negotiate and use Basic if even if both Negotiate and Basic our present), it will try to get a kerberos ticket for the user name and password entered (even if they are different than the person logged in), and if Kerberos can't be achieved, then NTLM data is created from that username/password and the NTLM data is sent.
Since mozilla cannot currently restrict things based on zones such as "intranet" as you describe in comment 133, then we should not try to restrict the URIs by default. Until someone writes an NTLM GSSAPI mechanism that is widely distributed with mozilla, the downgrade attack is purely hypothetical anyway. TrustedURIs is still a nice feature to have, but given the current state of the browser and the availability of pluggable GSSAPI frameworks that support SPNEGO and NTLM, I think making it default to tightly restricting the use of auth=negotiation is unecessary and it will make it harder for people to use this feature.
Have you checked how MS Windows handles this? My understanding is that if you use SPNEGO, you will be able to do an NTLMSSP authentication, if that's what the server wants. (This is certainly how it operates under CIFS) Also, I expect NTLMSSP to be available under SPENGO on posix platforms. Certain proprietory GSSAPI libs already provide it.
It works that way under CIFS because MS provides KRB5 and NTLM SSP modules for SPNEGO to negotiate. As far as I know (and this may well be wrong) I don't know of any NTLM GSSAPI modules in the Unix/POSIX world that are widely available. SPNEGO is completely independent from the underlying mechanisms that it negotiates. If the server says "I support KRB5 and NTLM", but the client only supports KRB5, then KRB5 will be used. There is no requirement that SPNEGO implementations support NTLM or that both sides support the same set, just that there is 1 overlapping mechanism that is supported. What POSIX platforms offer NTLM GSSAPI mechanisms? Linux - no. Solaris - no, HP-UX ???, AIX - ???, ***BSD - ???. Even so, its not really relevant here. The security that SPNEGO negotiates is not of any concern to mozilla. As long as this module is capable of offering KRB5 *OR* SPNEGO, the rest should fall into place. Also, this feature does not even require SPNEGO, it will offer KRB5 GSSAPI tokens if SPNEGO is not available on the system. If someone wants to create an NTLM-GSSAPI module and offer it to the world on various platforms under a friendly license, then it should work just fine. A proper SPNEGO mechanism should be able to handle the addition of new mechanisms later without a problem. The original intention of this bug was to make Kerberos authentication possible . This patch solves that problem in a way that is compatible with MS and uses open standards that can be extended. I dont think that the lack of NTLM negotation should influence the adoption of this particular feature.
>I dont think that the lack of NTLM negotation should influence the adoption of >this particular feature. it won't. so what version of the patch are we trying for now? chris: are you going to polish off attachment 140271 [details] [diff] [review] ("test version") or are we going to go with attachment 140190 [details] [diff] [review] ("Complete updated patch"). also, i would like to make sure that when this patch lands the Mozilla.org build systems are setup to enable GSSAPI support on all platforms that support it. it looks like OSX (Panther at least) includes the headers and libraries. and i think there are redhat packages for linux that i can install (please correct me if i'm wrong). what about windows? am i correct to understand that this code is not going to work under windows? do we need a different SSPI based solution under windows?
I'll get the test version' polished off today. As i'm sure you've seen there is some disagreement about the defaults. I can summarize the issues and I'll do my best to represent both sides in the next message. Then just let us know what you are willing to accept, we'll set the defaults to whatever you choose and submit it. >am i correct to understand that this code >is not going to work under windows? do we need a different SSPI based solution >under windows? Yes we probably do need an SSPI solution for Windows. Most people won't have MIT kerberos installed on their Windows box (although it would work).
An SSPI version of this same code needs to be done. I've done some coding with SSPI and GSSAPI interop in the past, its not too difficult. I would even go so far as to volunteer to work on this at some point, but I don't currently have an Win2K server setup to build or test on. So, initially, the new auth method will only work on Unix platforms that have the necessary GSSAPI support.
Attached patch updated (obsolete) — Splinter Review
My updates now work fine, but there is a problem. After applying the patch mozilla will still not start in Linux. I have no idea why this is, I don't believe the problem to be in my additions (or any of the .cpp files). I tested by building mozilla twice, once was a stock Moz 1.6 with no gssapi or negotiate options, and once with moz 1.6 with all of the required options gssapi and extention options enabled. The negotiateauth version will not start, although it compiles fine. The stock mozilla 1.6 built without authnegotiate built starts fine. I copied the libnegotiateauth.so file into the stock mozilla 1.6 build and the auth module even works fine. That's how I did my testing. I'm not sure where the problem lies, my guess is that it has something to do with the configure scripts. Is it possible that since my kerberos 1.3 libs and headers made it into the default build configs for every piece of mozilla that the mozilla build processes is somehow getting confused and compiling in the wrong header or library at some point in the build process? Again there are no compile errors. In my next post I'll attach the assertions I'm seeing, which appear whether I've left libnegotiateauth.so file in the build or have moved it out. I'm not a configure expert so I'm not sure how to just use the KRB5 lib directories and include files in the negotiateauth extention directory, but the would probably be the next logical test. Build env MIT kerberos 1.3.1 ./gmake --version GNU Make 3.79.1 ./gtk-config --version 1.2.10 ./glib-config --version 1.2.10 ./libIDL-config --version 0.6.8 ./m4 --version 1.4.1 ./automake --version automake (GNU automake) 1.5 ./autoconf --version (GNU autoconf) Autoconf version 2.13 gcc (GCC) 3.2.3 gcc-compile options "./configure --prefix=/usr/local/gcc_3.2.x_static/ --disable-shared --with-pic"
Attachment #134742 - Attachment is obsolete: true
Attachment #140270 - Attachment is obsolete: true
Attachment #140271 - Attachment is obsolete: true
I noticed this same problem but had not yet figured out where it was coming from. I did not see the same problem when I built the identical code with Solaris x86 and the native solaris GSSAPI headers/libs. I only noticed a problem when using MIT code on Linux.
i'll try building and running the patch on a Fedora Linux box w/ version 1.3.1 of the MIT krb5 implementation. i believe i may have access to a Win2k server for testing.
+NS_IMETHODIMP +nsHttpGssapiAuth::GetAuthFlags(PRUint32 *flags) +{ + // + // GSSAPI creds should not be reused across multiple requests. + // Only perform the negotiation when it is explicitly requested + // by the server. Thus, do *NOT* use the "REUSABLE_CREDENTIALS" + // flag here. + // + *flags = REQUEST_BASED; + return NS_OK; +} this is interesting. i thought i remember a previous version of this patch where CONNECTION_BASED was returned. the fact that this returns REQUEST_BASED means that NTLM will not work with this authenticator. NTLM authenticates individual TCP connections, and with the REQUEST_BASED flag, Necko will not guarantee that the same connection is used when sending the Type3 NTLM authorization header as was used when the Type1 NTLM authorization header was sent. are you sure the Negotiate auth protocol does not require CONNECTION_BASED? is this ok for Krb5 authentication?
I'm not exactly sure where the flags went, but this is what I think they should be: *flags = REQUEST_BASED | CONNECTION_BASED | IDENTITY_IGNORED; return NS_OK; I think the above is correct. I think that when I re-built the patch I somehow lost track of this piece.
Comment #90 indicates when the CONNECTION_BASED and IDENTITY_IGNORED flags were added.
> *flags = REQUEST_BASED | CONNECTION_BASED | IDENTITY_IGNORED; it does not make sense to set both of these flags. you should set one or the other but not both.
(In reply to comment #149) > > *flags = REQUEST_BASED | CONNECTION_BASED | IDENTITY_IGNORED; > > it does not make sense to set both of these flags. you should set one or the > other but not both. it's late ;) what i meant was that it does not make sense to set both REQUEST_BASED and CONNECTION_BASED. pick CONNECTION_BASED if you are authenticating individual connections and you need to have GenerateCredentials called more than once for the same connection. (note: CONNECTION_BASED implies that your authenticator is not RFC 2617 compliant.) otherwise, pick REQUEST_BASED.
REQUEST_BASED is the way to go then. Thanks for clarifying, Im not so clear on how these various flags work.
ok, then we are accepting that NTLM will not be supported by this Negotiate auth module. i just want to make sure we are clear on that point. it helps, i think, eliminate some of the concerns expressed previously about a GSSAPI implementation making use of NTLM. by setting REQUEST_BASED instead of CONNECTION_BASED, we are preventing NTLM from working.
I think NTLM would work if there were a GSSAPI implementation of it that SPNEGO could offer in the negotiation, but since there isn't, then its not really an issue. Even so, I think NTLM is less interesting and definitely less secure than Kerberos so if NTLM is forced out of the picture, its a Good Thing. The thing to remember with this scheme is that the authentication mechanisms must fit into the GSSAPI framework in order to be able to participate. NTLM auth that does not frame its tokens in GSSAPI is not eligible for the negotiation regardless of the flags. I expect that when the Windows/SSPI code is written, that NTLM will be a valid choice since Windows has an NTLM SSPI module to use as a negotiation option.
>I expect that when the Windows/SSPI code is written, that NTLM will be a valid >choice since Windows has an NTLM SSPI module to use as a negotiation option. no, it will not be an option if we do not specify CONNECTION_BASED. the point is that necko needs to do something special to support NTLM. here's how NTLM works: C: GET /blah ... S: 401 ... WWW-Authenticate: NTLM at this point the client typically opens a new connection (but that's not really important). C: GET /blah ... Authorization: NTLM (... Type1 messsage ...) S: 401 ... WWW-Authenticate: NTLM (... Type2 message ...) now, on the same connection that the client sent the Type1 message (<-- this is crucial), the client sends a Type3 message: C: GET /blah ... Authorization: NTLM (... Type3 message ...) S: 200 OK ... since Necko controls opening, reusing, and closing connections, it needs to be told about this special requirement of NTLM. so, if the Negotiate auth handler says it is REQUEST_BASED, then there is no way at all for it to support NTLM. this whole issue makes me wonder if Negotiate auth doesn't require CONNECTION_BASED as well. NOTE: a request based authenticator should be able to specify CONNECTION_BASED and be ok... also, it may happen that REQUEST_BASED appears to behave like CONNECTION_BASED except when Necko is heavily loaded down with requests for a particular host.
Microsoft's implementation is defintely connection based, and if multiple round trips are required - which many negotiations may require, this implementation will require it as well.
I've been convinced that SPNEGO (instead of Kerberos V5) is currently of little threat for the same reason it is currently of little value, there are almost no implementations and the ones that do exist only support KerberosV5 which is what you get if you don't support SPNEGO (minus some overhead). Did anyone with an RFC compliant SPNEGO implementation ever check to see if it worked against IIS, or will that be broken? We will of course need to re-dicuss the threats if we make an SSPI solution. Even making the assumption that Kerberos V5 will be Negotiated, it still should be over SSL. (default should be NegotiateAuth.trustedURIs="https://") Many sites with a kerberos implementation also have a kerberos shared key with another site, which means you may be asked to present your token out side of your intranet, and I don't think that should be able to happen withoug SSL without user consent. The token being sent is valuable if it can be stolen (Details: Only for ~5 minutes, and only a DNS spoof, or a man in the middle type attack, and it can't be replayed if the server has a replay cache enabled). The risk is small I admit, but it is up the the browser to protect the user's credentials and not autosend them unprotected without the user's input. I understand that this is somewhat painful for sites that have choosen to not protect internal resources using SSL, but the pain will go away if bug 169106 is fixed and user can choose through a GUI exactly what they trust.
I have tested with SPNEGO against IIS successfully. Of course, I had to hack my SPNEGO implementation to interoperate with MS because their SPNEGO (e.g. SSPI-Negotiate) mechanism is not RFC compliant. However, it does work if certain bits of the RFC are ignored or completely violated :) I am OK with allowing the default to be NegotiateAuth.trustedURIs="https://" Has anyone figured out why mozilla will not start in Linux when the extension is enabled? This was working up until some of the more recent patches were added, but Im still not sure what is causing the problem.
i haven't had a chance to test under linux yet... i probably won't have a chance until thursday :(
On an intranet, how many people actually manage to get IIS to talk HTTPS? My worry is that we have just newtered this patch again. What we really need is the security zones - trustedURIs seems such a compleatly wrong way to approach this.
(In reply to comment #159) > What we really need is the security zones - trustedURIs seems such a compleatly > wrong way to approach this. Well I think everyone probably agree's with you (me included), but security zones doesn't even have a target milestone. So if you want this feature in the near future, trustedURI's is the way to get it.
i agree. at least for 1.7 alpha/beta, let's keep our aim simple. this way there is some hope that folks can use this patch. btw, on an unrelated note, i suspect that in the future we will want to hide GSSAPI behind nsIAuthModule, and then make nsHttpNTLMAuth.cpp support both Negotiate and NTLM auth modules. the API for nsIAuthModule may need to be rev'd to realize this goal, and that can happen after this initial patch lands. having a Negotiate auth implemented behind an interface like nsIAuthModule that has nothing to do with HTTP makes it possible to incorporate this into IMAP, POP3, etc.
But that is what TrustedURIs it - a gui-less, likely-undocumented implementation of security zones. And anyway, why are all SSL servers trustworthy? I hate to be one of the many 'community members', cheering from the sidelines about how things should be fixed (as a member of the Samba Team, I certainly know the other end of that pointy stick), but as anything more than a 'half way' point, this seems really broken.
(In reply to comment #162) >And anyway, why are all SSL servers trustworthy? They aren't, that is why I've been so adamant that the SPNEGO must negotiate a protocol as strong or stronger than Kerberos. The reason Kerberos fits well here is that if the web site is not registered in your KDC or a KDC which your site shares a cross site key with, you won't get a ticket for it and so you will not even try to send it an authenticator or any other sensitive data. ChallengeRecieved will fail and other auth methods will be tried if available, all of the other methods HTTP Basic, NTLM, and Digest, all require user input, the user must now make the decision whether or not to trust the site. We are not trusting the site if it is protected under SSL, we are trusting that its DNS name has not been spoofed, and then we rely on the normal Kerberos mechanisms to determine if this site has been registered in a KDC (which can include Active Directory) with which the user is affiliated. Basically the Kerberos protocol has the notion of which servers you should give your credentials to built-in, but it can't make the decision of whether you should use SSL or not, because that depends on how much you trust the networks that the data is going to have to cross.
(In reply to comment #161) > i agree. at least for 1.7 alpha/beta, let's keep our aim simple. this way > there is some hope that folks can use this patch. I favor leaving the TrustedURIs list wide open, but will compromise by restricting it to HTTPS if the feature is documented well enough that people know how to remove this restriction to get it to work with unencrypted servers. > > btw, on an unrelated note, i suspect that in the future we will want to hide > GSSAPI behind nsIAuthModule, and then make nsHttpNTLMAuth.cpp support both > Negotiate and NTLM auth modules. the API for nsIAuthModule may need to be rev'd > to realize this goal, and that can happen after this initial patch lands. > having a Negotiate auth implemented behind an interface like nsIAuthModule that > has nothing to do with HTTP makes it possible to incorporate this into IMAP, > POP3, etc. I think this is an excellent idea. I was just talking to some people today who want to use GSSAPI or SASL/GSSAPI to talk to secure IMAP servers, so moving this to a more general location is a good idea for the future.
I do not want to require SSL as a default. There will be no Kerberos data sent unless I have trusts so there will be nothing sent over Internet unless I have set up a trust. Internaly I suspect most companies do not have SSL due to the complexities with certificate that requires. And it is internally most will want to use Kerberos login. Those who want to use Kerberos/SPNEGO over Internet will enable SSL if they think it is needed. A good documentation with both info on how to enable Kerberos use with Mozilla as well as description of what the security risks are, is needed to go with this addition to Mozilla.
(In reply to comment #165) > I do not want to require SSL as a default. > There will be no Kerberos data sent unless I have trusts so there will be nothing > sent over Internet unless I have set up a trust. > Internaly I suspect most companies do not have SSL due to the complexities > with certificate that requires. And it is internally most will want to use > Kerberos login. Those who want to use Kerberos/SPNEGO over Internet > will enable SSL if they think it is needed. In general users will not change a pref to get added security, they will only change it to get added functionality. We are also fighting a loosing battle, may users will hear the word kerberos and say why would I need SSL anyway? You can try to make it clear in documentation, most users won't read it. > A good documentation with both info on how to enable Kerberos use with > Mozilla as well as description of > what the security risks are, is needed to go with this addition to Mozilla. That's a good idea. Keep in mind that RedHat users at least will not have to do anything to get SPNEGO working (expect typing kinit and have a valid krb5.conf file) as long as they downloaded the binary of Mozilla from mozilla.org and their web servers are set up correctly. If they don't read the documentation they could be possibly sending SPNEGO tokens on demand inside or outside their network without even knowing it. These users will not know that they should have tweaked a pref to get added security, they didn't even know the feature existed.
I've been giving this alot of thought lately, and I've come to believe that requiring SSL is not a good idea for now. At least not until there is some sort of easy-to-understand interface for users who want to lessen the restriction. I know I said back in Comment #164 that I would compromise and allow for HTTPS to be the default, but I've come to believe that doing so would cripple this feature for 99% of the public who don't know how or where to go to tweak various user_pref items that are not presented in one of the GUI preferences windows. If they are used to accessing an intranet website with IE and then try to do it with the new mozilla because they read that it has support, they will be very disappointed to see that it doesn't work out of the box and will likely not know how to fix it (even if its documented clearly). If the site being accessed is deemed important, it probably already requires the use of SSL anyway, it maybe should not even be a client-side decision. I understand the risk of the spoof attack, but I'm not convinced that that risk outweighs the fact that restricting it by default effectively makes this feature useless to most people. Now, if someone wants to make additions to one of the "Privacy & Security" pages so that the new options are easily visible & modifyable, I would change my opinion (uh, yet again), but just adding another "secret" user_pref item is not terribly helpful. Finally - I have a new patch that seems to work in Linux (no longer fails to start the browser after being compiled) and Solaris. I need to do further testing, but should post it sometime Monday. What do we need to do to bring this issue to closure and get to the final code review steps?
> I know I said back in Comment #164 that I would compromise and allow for HTTPS > to be the default, but I've come to believe that doing so would cripple this > feature for 99% of the public who don't know how or where to go to tweak various > user_pref items that are not presented in one of the GUI preferences windows. > If they are used to accessing an intranet website with IE and then try to do Keep in mind to tweak this pref all you have to do is go to about:config and if you've tried to run the extention previously and failed, the required pref will be at the top of the list and in bold. Double click the pref and you can re-set it in the gui to anything you want. I'm sure most people all ready know this trick, but I wanted to put it down just in case people were judging the difficulty of setting this pref by assuming a user had to actually hand edit pref files. They don't. Not the gui we want for this, but it's not as bad as it sounds either. > with the new mozilla because they read that it has support, they will be very > disappointed to see that it doesn't work out of the box and will likely not know > how to fix it (even if its documented clearly). I believe you underestimate Unix users. (The only user group that will benefit from the current patch.) > If the site being accessed is deemed important, it probably already requires the > use of SSL anyway, it maybe should not even be a client-side > decision. It has to be a client side decision as well, you can't prevent a man in the middle attack by only requiring SSL at the server. If the client doesn't know the site he is going to is under SSL, the man in the middle can just spoof a non-ssl version of the site read/edit the data from the client and send and receive the repiles to/from the actual SSL encrypted site. > Finally - I have a new patch that seems to work in Linux (no longer fails to > start the browser after being compiled) and Solaris. I need to do further > testing, but should post it sometime Monday. Good work! That was a strange error, I'll be interested in seeing what caused it. > > What do we need to do to bring this issue to closure and get to the final code > review steps? The security decision about defaults is of course up to Darin, but whatever the decision, we do we need to make sure that the feature can be turned off, by leaving the pref there but with an empty string. (The default would only be used if the pref was not there at all. Then presumably, it would be automatically set to the default value for future use.)
>> with the new mozilla because they read that it has support, they will be very >> disappointed to see that it doesn't work out of the box and will likely not know >> how to fix it (even if its documented clearly). >I believe you underestimate Unix users. (The only user group that will benefit >from the current patch.) As there is an increased number of ordinary users on Unix, it would help making people move to the Unix desktop if things work out of the box. To have mozilla autmatically login using negotiate without changing preferences by hacking in a file (or using about:config) would be a nice thing to show the normal end user.
perhaps (and i'm not necessarily advocating this solution...) we could solve the security problem by prompting the user when the site is not SSL. we could give the user a checkbox that allows them to remember this site. that makes it very easy for the user to build up the whitelist. i think this would help minimize the annoyance factor, and in the future we could extend the permissions database and provide UI (perhaps as part of the security zones UI) to provide a better solution. thoughts?
(In reply to comment #170) User's like to Click OK on every box they see, so we would have to be careful about the wording, but we might be able to come up with something.
FYI, I'm working on revising the patch...
ok, here's what i'm thinking: it appears that the current patch (attachment 140465 [details] [diff] [review]) prevents negotiate auth whenever a host (or sub-domain of that host) does not appear on the "hostlist". and, i noticed that the same test is in both ChallengeReceived and GenerateCredentials. there's no point to duplicating the test as far as i can tell. and, moreover... it seems that GenerateCredentials set GSS_C_DELEG_FLAG only when a match has been found. but, GenerateCredentials is only called if a match was found when ChallengeReceived was called (they are always called in a pair). so, i think we should do the following: always set GSS_C_DELEG_FLAG in GenerateCredentials. make ChallengeReceived fail if the following conditions are met: (1) channel is not HTTPS (2) auth request is not for a proxy server (3) permissions database does not have an "ALLOW" entry for the host and the user chooses not to allow host via a prompt this gives us a good path moving forward b/c we can hope for a generic UI for all permissions in the permissions database. also, it means that we don't have to futz with host & sub-domain matching. i'm working to revise the patch. i cleaned up the configure.in code quite a bit, and i'll be posting a new patch here for testing. i'd really appreciate help testing it when it is ready. thanks!
Attached patch Updated 2/9/04 (obsolete) — Splinter Review
Sorry for the duplicate effort, but I updated the patch over the weekend and spent today testing/debugging it.
Attachment #140190 - Attachment is obsolete: true
(In reply to comment #173) > so, i think we should do the following: > always set GSS_C_DELEG_FLAG in GenerateCredentials. I don't think it should be set up this way. The two lists were never designed to be identical. It was designed so NegotiateAuth.trustedURIs would most likely contain a whole domain (or just a protocol) and NegotiateAuth.DelegateURIs would be a very tiny subset, probably just one or two hosts. Kerberos delegation is triggered by the GSS_C_DELEG_FLAG. That is the security equivalent to giving your password to the server for ~8 hours before it becomes useless. During this time the server can effectively be "you", and do anything that you can. This is a VERY useful feature at times, but it is not something you want to give to every server. In addition, most users won't want to do this or even know what it is, it increases the size of each request by ~1K, and in MIT Kerberos it puts a lot of traffic on your KDC (one request and reply from the KDC before EVERY request). I think that's the reason no one ever said much about it being hidden away in a pref, at least until a suitable permanent GUI can be put in place. So I suggest continuing as you stated, but turning off GSS_C_DELEG_FLAG by default and keeping the pref to turn it back on a per host basis. Then we can figure out a better GUI for it later.
- I agree with Chris - definitely do NOT set the DELEG flag in all cases, its dangerous at worst and will cause alot of failures for sites that do not automatically issue forwardable tickets. - The test in ChallengeReceived is different from the test in GenerateCredentials. The one in ChallengeReceived checks to see if the URI matches the TrustedURIs list. The one in GenerateCredentials checks to see if its in the "DelegationURIs" list. Its not a duplicated test. - I question the value in passing delegated creds to the web server in any case. Setting the DELEG flag "always" is not going to work. It only succeeds if the Kerberos TGT was created with the "Forwardable" flag - which is not always the default. If the "F" flag is not set and the GSSAPI client tries to send with the DELEG flag, the authentication will fail. I left it in place in my latest patch because it *might* be useful in rare circumstances, but I am not really in favor of passing TGTs to a web server. Unless that server is capable of assuming the identity of the user and using the delegated creds for something more than fetching pages, its not useful at all. - This auth method should never work for a proxy server, the spec is only for web server authentication, not proxy auth. - I left the default for TrustedURIs to be "https://;http://" in my patch. I know this is still under discussion, but thats my preference at this point and I had to stick something in there. Lets try not to veer to far from the current solution at this point, I think its 95% ready, we just need to come up with a solution for the remaining couple of items: 1. Default value for TrustedURIs ? Include "http://" or not ? 2. Delegation - is it useful or dangerous in web authentication ?
(In reply to comment #176) > - I question the value in passing delegated creds to the web server in any case. > Setting the DELEG flag "always" is not going to work. It only succeeds if the > Kerberos TGT was created with the "Forwardable" flag - which is not always the > default. If the "F" flag is not set and the GSSAPI client tries to send with > the DELEG flag, the authentication will fail. In MIT kerberos Authentication will still succeed it just won't send the delegated credential. I left it in place in my latest > patch because it *might* be useful in rare circumstances, but I am not really in > favor of passing TGTs to a web server. Delegation is one of the main reasons I want this patch. Although, I think it should be kept (maybe forever) in an obscure pref. Yes, delegation is risky, but its much less risky than sending your password to the server. (The only other way to delegate to the server). Here are a few uses: IIS server is starting to use these creds for lots of things, especially since most of the MS infrastructure is getting kerberized. The web server no longer has to be trusted to access network resources, instead it only has permissions to access what the user's temporary kerberos credentials have access to. (File shares, MS Exchange, and MS Sql server, other web servers). Also CGI's in apache could use these creds to check email, scp files around, access NFS mounts, access Oracle, execute commands on a remote host (ssh), or another web server (like a portal would). And you get all of this while having an Apache server which has no special priveleges if no users have recently logged in. I believe this makes it much more secure than users sending re-usable passwords to it which are good for a MUCH longer time. > - This auth method should never work for a proxy server, the spec is only for > web server authentication, not proxy auth. In fact, if the connection is not SSL, and IE detects that it is being asked to send SPNEGO through a proxy server, it won't do it. IE will not do non-ssl SPNEGO connections through a proxy server.
>Sorry for the duplicate effort, but I updated the patch over the weekend and >spent today testing/debugging it. Ack! I hope it hasn't changed much... >I don't think it should be set up this way. The two lists were never designed >to be identical. OK, I majorly overlooked the fact that those two functions were looking up different preferences!! Sorry for adding noise to this bug :-( Thanks for explaining the issues concerning delegation. I still think that using the permissions backend is the right thing to do. I think that ensures that we are using the right backend for this.. even well into the future. It isn't much more work. In fact, it is less work. All we need to do is define a permission bit for delegation, and then we are set.
> - This auth method should never work for a proxy server, the spec is only for > web server authentication, not proxy auth. ok, then we need to return a failure code when isProxyAuth is true. i'll add that to the patch i'm modifying. wyllys: i think i understand your recent changes. your changes appear to include making the patch apply cleanly, adding the trustedURIs default value, and some other minor fixup. can you please let me know if you changed anything else? thx!
can someone explain why mCtx is part of the "session state" and not the "continuation state"? if this were SSPI, i would expect it to be part of the continuation state, which is a property stored on the connection. session state is stored in a global location and is shared by all connections that use negotiate auth. since negotiate auth has multiple stages, it seems like this could cause problems... couldn't there be multiple contexts for different connections?
(In reply to comment #177) > > Here are a few uses: > > IIS server is starting to use these creds for lots of things, especially since > most of the MS infrastructure is getting kerberized. The web server no longer > has to be trusted to access network resources, instead it only has permissions > to access what the user's temporary kerberos credentials have access to. (File > shares, MS Exchange, and MS Sql server, other web servers). Agreed, IIS is one product that does properly support delegation. > > Also CGI's in apache could use these creds to check email, scp files around, > access NFS mounts, access Oracle, execute commands on a remote host (ssh), or > another web server (like a portal would). And you get all of this while having > an Apache server which has no special priveleges if no users have recently > logged in. I believe this makes it much more secure than users sending > re-usable passwords to it which are good for a MUCH longer time. Yes, in theory this is correct. Though Unix in general lacks alot of the functionality needed to do proper impersonation.
(In reply to comment #179) > > - This auth method should never work for a proxy server, the spec is only for > > web server authentication, not proxy auth. > > > ok, then we need to return a failure code when isProxyAuth is true. i'll add > that to the patch i'm modifying. Thanks! > > wyllys: i think i understand your recent changes. your changes appear to > include making the patch apply cleanly, adding the trustedURIs default value, > and some other minor fixup. can you please let me know if you changed anything > else? thx! Thats about it. Regarding the mCtx and the session state - I'm not sure if moving it to continuatoin state is correct or not. I seem to recall trying this in one of the early patches and I found it to be incorrect for some reason. I will test it locally and see if it makes a difference, if it works the same I will repost with the change.
> I still think that using the permissions backend is the right thing to do. I > think that ensures that we are using the right backend for this.. even well into > the future. It isn't much more work. In fact, it is less work. All we need to > do is define a permission bit for delegation, and then we are set. A few things to keep in mind for a future direction as were talking about the permissions backend. I think most people will want the ablitilty to put a domain (or subdomain) in the gui, so at some point I think we will want whole domain matching back. (I think the permission manager already works this way). They will might also want the ablity to put a optional protocol in with each entry. Also, in SSPI you actually want to turn the delegation flag on at all times. The reason is even though you always ask for delegation you won't get it unless the KDC Administrator trusted the service enough to put a special flag on the service called OK-AS-DELEGATE. It's hint to clients that the KDC admin believes that that a particular host actually needs your credential, and that he/she actually trusts it enough for you to give it to them. It's a pretty good system, I've even implemented it in MIT kerberos, so if possible, I'd like to take advantage of it there also.
(In reply to comment #183) > > I still think that using the permissions backend is the right thing to do. I > > think that ensures that we are using the right backend for this.. even well into > > the future. It isn't much more work. In fact, it is less work. All we need to > > do is define a permission bit for delegation, and then we are set. > > A few things to keep in mind for a future direction as were talking about the > permissions backend. I think most people will want the ablitilty to put a domain > (or subdomain) in the gui, so at some point I think we will want whole domain > matching back. (I think the permission manager already works this way). They > will might also want the ablity to put a optional protocol in with each entry. > I agree, domain matching is a desirable feature. Thats what I do like about the current patch - it matches URI substrings which gives the user alot of flexibility in how they configure this feature. > Also, in SSPI you actually want to turn the delegation flag on at all times. > The reason is even though you always ask for delegation you won't get it unless > the KDC Administrator trusted the service enough to put a special flag on the > service called OK-AS-DELEGATE. It's hint to clients that the KDC admin believes > that that a particular host actually needs your credential, and that he/she > actually trusts it enough for you to give it to them. It's a pretty good system, > I've even implemented it in MIT kerberos, so if possible, I'd like to take > advantage of it there also. > Have you considered donating this back to MIT? It sounds like a good feature that they might consider.
(In reply to comment #181) > Yes, in theory this is correct. Though Unix in general lacks alot of the > functionality needed to do proper impersonation. Just curious what you mean here? Isn't it problem of the authentication (or authorisation) mechanism rather than OS?
(In reply to comment #184) > I agree, domain matching is a desirable feature. Thats what I do like about the > current patch - it matches URI substrings which gives the user alot of > flexibility in how they configure this feature. The permission manager does that to. You could add youcorp.com to it, and it will accept something.yourcorp.com too. It doesn't work the other way, so yourcorp.com.evil.com doesn't get accepted. So to prevent code duplication, i think it is a good idea to just use the perm manager. Maybe it needs to be extended to accept protocols though, but that is fixable.
I'm not able to build the current patch with Heimdal (the configure script seemd to fail to detect correctly Heimdal's enviroment) and the build fails. Before starting looking into this, I'd like to ask what's the purpose for having both the configure options --with-gssapi=DIR and --enable-gssapi. Isn't the latter useless (I suppose when I specify I want to build the negotiateauth extension the GSSAPI libraries are available either at default place or where specified by --with-gssapi=DIR). What's --enable-gssapi good for than?
>Maybe it needs to be extended to accept protocols though, but that is fixable. yeah, this is the only real issue with the permission manager at the moment. i think we can live with that for the first installment of this patch. using the permission manager without UI means that instead of hand modifying prefs.js files, users will need to hand modify their hostperm.1 file. of course, hand modifying these files is really undesirable. what would be ideal is for us to create some UI for this. the UI could even start out as a mozdev extension. also, the permission manager is capable of storing the delegation flag per host as well. in fact, nsIPermissionManager allows a permission value to be any number between 1 and 15, where 0, 1, and 2 have predefined meanings: UNKNOWN_ACTION, ALLOW_ACTION, and DENY_ACTION respectively. in my patch, i have used the 3rd bit to indicate the delegation flag. in other words, a value of 5 stored in the permissions database means "allow action" and "allow delegation". > I'm not able to build the current patch with Heimdal.. Daniel, in my version of the patch i have eliminated --enable-gssapi. instead, if negotiateauth is specified as an extension (and i have made it a default extension), then configure.in will try to look for gssapi. if you specify --with-gssapi, then it only configures GSSAPI_DIR. i'll be posting a revised patch shortly...
(In reply to comment #187) > I'm not able to build the current patch with Heimdal (the configure script seemd > to fail to detect correctly Heimdal's enviroment) and the build fails. Before > starting looking into this, I'd like to ask what's the purpose for having both > the configure options --with-gssapi=DIR and --enable-gssapi. Isn't the latter > useless (I suppose when I specify I want to build the negotiateauth extension > the GSSAPI libraries are available either at default place or where specified by > --with-gssapi=DIR). What's --enable-gssapi good for than? --with-gssapi was meant for sites with the GSSAPI stuff installed in a non-standard location. Obviously, "with-gssapi" implies "enable-gssapi", so both are not necessary. I envisioned "--enable-gssapi" to be sufficient for most sites since the configure script was supposed to be smart enough to figure out where to find the libraries. I did testing with Heimdal a while ago, but not lately, so I'm not surprized there is some breakage.
Attached patch v2 patch (obsolete) — Splinter Review
here's an updated patch that leverages the permission manager as we've been discussing. it adds a dialog with a checkbox allowing users to suppress the dialog in the future. there is of course no UI (yet) to manage the remembered settings.
Attachment #40197 - Attachment is obsolete: true
Attachment #122480 - Attachment is obsolete: true
Attachment #134646 - Attachment is obsolete: true
Attachment #140465 - Attachment is obsolete: true
Attachment #141010 - Attachment is obsolete: true
Daniel, Wyllys, Chris: can you guys please take a look at this patch, try it out, and make sure it works (and is reasonable to each of you). thanks! mvl: can you please review the way i'm using the permission manager? thanks!
I like the permission manager use. It worked fine in Solaris. The configure.in script needs a small fix for the Solaris "-lgss" case: Add "-L" to the GSSAPI_LIBS definition. ... if test -z "$GSSAPI_LIBS" ; then AC_CHECK_LIB(gss, gss_init_sec_context, [GSSAPI_LIBS="-L$GSSAPI_DIR/lib -lgss"],) ^^^^ fi ... Also, I am posting a new nsHttpGssapiAuth.cpp file that uses a ContinuationState instead of SessionState to hold the gss context record. I think this is more correct and it works fine in my testing.
Minor fix to Darin's most recent patch, this one uses continuationState instead of sessionState
As before, use continuationState instead of sessionState. Previous attachment had a bug.
Attachment #141074 - Attachment is obsolete: true
thx wyllys!
Attachment #141066 - Attachment is obsolete: true
Attachment #141075 - Attachment is obsolete: true
If you don't check the box to remember your decision, it will prompt you both in ChallengeRecieved and in GenerateCredentials. You should never prompt a user in generatecreentials because it is called with EVERY request. For some reason it always DELEGATES. This the following statement is always true. (I don't yet understand why.) if (perm & NEGOTIATE_PERM_DELEGATE) { + LOG((" using GSS_C_DELEG_FLAG\n")); + req_flags |= GSS_C_DELEG_FLAG; + } The message you put in the popup is somewhat misleading. The webserver that you are trying to access will almost always be a webserver you know and trust, the issue is that its not over SSL. I'll have more time tomorrow to look at this.
Also if you click no and save the response, it will also never prompt you for SPNEGO again not even over SSL.
chris: thanks for catching those problems... i can solve the double prompting problem easily, but the other problem is more difficult. unfortunately, the permission manager doesn't allow us to distinguish different protocols on the same host. i have some ideas about how to solve that problem...
(In reply to comment #185) > (In reply to comment #181) > > Yes, in theory this is correct. Though Unix in general lacks alot of the > > functionality needed to do proper impersonation. > > Just curious what you mean here? Isn't it problem of the authentication (or > authorisation) mechanism rather than OS? The question is what to do with the delegated credentials once the server has accepted them. In an Active Directory environment, a users credentials (Tickets) contain lots of extra information (the infamous PAC data) that the server can use to further impersonate the authenticated user and take actions on their behalf in separate threads. A unix process can crudely assume a user's identity by calling "seteuid(newuid)", performing some actions, and switching back to its original (most likely 'root') user identity - OR it can fork a new process under the uid of the authenticated user and perform actions as if it were that user, using the delegated credentials. My original point was that Active Directory has a much better system for handling user impersonation and delegation of privileges and credentials. In Unix its alot easier to abuse the delegated credentials, intentionally or by poorly designed services that are using them.
I succeeded in building the patch with Heimdal (I'll send modifications to discuss shortly). When accessing an Negotiate-secured page page I've noticed annoying behaviour when the server is contacted two times when I push the reload button. Sniffing the communication I recognized that the first http GET request doesn't contain the Authorization: Negotiate XXX header, the server replies with WWW-Authenticace Negotiate sent in an 401 reply, and only this message is replied by mozilla with correct Authorization: Negotiate header. Excerpt from my log (both records generated by a single clicking the Reload button): 147.251.3.54 - - [12/Feb/2004:11:46:45 +0100] "GET /secure-gss/ HTTP/1.0" 401 506 147.251.3.54 - kouril@ICS.MUNI.CZ [12/Feb/2004:11:46:45 +0100] "GET /secure-gss/ HTTP/1.0" 304 0 Is it possible that the browser remembers the method required from previous communications without these additional messages? I guess the problem is caused by the REUSABLE_CREDENTIALS flag not being set for Negotiate, but don't know what's the best way to correct (since the credentials shouldn't be reused, certainly).
> I succeeded in building the patch with Heimdal (I'll send modifications to > discuss shortly). these are only typos corrections: --- configure.in Thu Feb 12 13:19:27 2004 +++ configure.in.dan Thu Feb 12 13:08:07 2004 @@ -3764,6 +3764,7 @@ LIBS="$LIBS -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err" AC_CHECK_LIB(gssapi_krb5, gss_init_sec_context, [GSSAPI_LIBS="-L$GSSAPI_DIR/lib -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err"],) + LIBS="$_SAVE_LIBS" fi dnl dnl If GSS libs were STILL not found, try looking for Heimdal @@ -3772,12 +3773,12 @@ if test -z "$GSSAPI_LIBS" ; then if test -x "$GSSAPI_DIR/bin/krb5-config" ; then krb5cfg="$GSSAPI_DIR/bin/krb5-config" - TMP_GSSAPI_LIBS=`$krbcfg --libs gssapi 2>/dev/null` - TMP_GSSAPI_INCLUDES=`$krbcfg --cflags gssapi 2>/dev/null` + TMP_GSSAPI_LIBS=`$krb5cfg --libs gssapi 2>/dev/null` + TMP_GSSAPI_INCLUDES=`$krb5cfg --cflags gssapi 2>/dev/null` LIBS="$LIBS $TMP_GSSAPI_LIBS" AC_CHECK_LIB(gssapi, gss_init_sec_context, - [GSSAPI_LIBS="$TMP_GSSAPI_LIBS", + [GSSAPI_LIBS="$TMP_GSSAPI_LIBS" GSSAPI_INCLUDES="$TMP_GSSAPI_INCLUDES"], [GSSAPI_LIBS=""]) fi
(In reply to comment #201) > > I succeeded in building the patch with Heimdal (I'll send modifications to > > discuss shortly). > > these are only typos corrections: > --- configure.in Thu Feb 12 13:19:27 2004 > +++ configure.in.dan Thu Feb 12 13:08:07 2004 > @@ -3764,6 +3764,7 @@ > LIBS="$LIBS -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err" > AC_CHECK_LIB(gssapi_krb5, gss_init_sec_context, > [GSSAPI_LIBS="-L$GSSAPI_DIR/lib -lgssapi_krb5 -lkrb5 -lk5crypto > -lcom_err"],) > + LIBS="$_SAVE_LIBS" > fi > dnl > dnl If GSS libs were STILL not found, try looking for Heimdal > @@ -3772,12 +3773,12 @@ > if test -z "$GSSAPI_LIBS" ; then > if test -x "$GSSAPI_DIR/bin/krb5-config" ; then > krb5cfg="$GSSAPI_DIR/bin/krb5-config" > - TMP_GSSAPI_LIBS=`$krbcfg --libs gssapi 2>/dev/null` > - TMP_GSSAPI_INCLUDES=`$krbcfg --cflags gssapi 2>/dev/null` > + TMP_GSSAPI_LIBS=`$krb5cfg --libs gssapi 2>/dev/null` > + TMP_GSSAPI_INCLUDES=`$krb5cfg --cflags gssapi 2>/dev/null` Good catch - I was close :) > > LIBS="$LIBS $TMP_GSSAPI_LIBS" > AC_CHECK_LIB(gssapi, gss_init_sec_context, > - [GSSAPI_LIBS="$TMP_GSSAPI_LIBS", > + [GSSAPI_LIBS="$TMP_GSSAPI_LIBS" Also, good catch. > GSSAPI_INCLUDES="$TMP_GSSAPI_INCLUDES"], > [GSSAPI_LIBS=""]) > fi
(In reply to comment #201) > these are only typos corrections: and here's something more questionable: --- configure.in Thu Feb 12 13:19:27 2004 +++ configure.in.dan Thu Feb 12 13:08:07 2004 @@ -3795,8 +3796,9 @@ dnl Try to determine if the GSS_C_NT_HOSTBASED_SERVICE value is dnl defined. Older MIT releases did not define this correctly. dnl + GSSAPI_INCLUDES="$GSSAPI_INCLUDES $GSSAPI_INCLUDES/gssapi" AC_CHECK_HEADERS([gssapi/gssapi_generic.h]) - AC_TRY_COMPILE([ #include <gssapi/gssapi.h> ], + AC_TRY_COMPILE([ #include <gssapi.h> ], [ gss_OID oid = GSS_C_NT_HOSTBASED_SERVICE; ], [AC_DEFINE(HAVE_GSS_C_NT_HOSTBASED_SERVICE)],[]) fi --- extensions/negotiateauth/nsHttpGssapiAuth.cpp.dan Thu Feb 12 13:08:07 2004 +++ extensions/nnn/nsHttpGssapiAuth.cpp Thu Feb 12 13:19:27 2004 @@ -54,7 +54,7 @@ #endif #include <stdlib.h> -#include <gssapi.h> +#include <gssapi/gssapi.h> #ifdef HAVE_GSSAPI_GSSAPI_GENERIC_H #include <gssapi/gssapi_generic.h> #endif I suggest to include just gssapi.h without any directory specified. This is much more portable since e.g. Heimdal doesn't store the gssapi.h file in a separate subdirectory. Similarly for other GSSAPI implementations (at least GSI according to my knowledge)
Thanks for the feedback guys...
Status: NEW → ASSIGNED
Priority: P3 → P2
Target Milestone: mozilla1.7alpha → mozilla1.7beta
Darin - Do you need any more code updates or information from anyone to get this into 1.7beta? Its been quiet here for a while and I wanted to follow up to see what the status is.
Wyllys: i should be posting a revised patch early this week. (i've been busy with other things.)
I noticed a small bug in the most recent patch posted by Darin. In configure.in + dnl + dnl If GSSAPI libs were not found, remove extension from the list to be + dnl built. + dnl + if test -z "$GSSAPI_LIBS" ; then + AC_MSG_WARN([Cannot build negotiateauth without GSSAPI. Removing negotatiate from MOZ_EXTENSIONS.]) + MOZ_EXTENSIONS=`echo $MOZ_EXTENSIONS | sed -e 's|xmlterm||'` ^^^^^^^^ That should probably be "negotiateauth" instead of "xmlterm", eh?
> That should probably be "negotiateauth" instead of "xmlterm", eh? yes, thank you for pointing that out. i will correct that before posting a new patch.
To summarize and focus on the current concern... So, the steps are basically: * client sends a get * server sends auth required * client asks some library for a ticket. * library does some stuff and response with a blob that the client sends back to server. * server verifies the user based on the received blob. These step are perfectly valid and if implemented correctly are secure. There are security problems with the next step. Since this implementation isn't going to encrypt the traffic between the server and client with the session key and we are considering allowing keberos over http (non-ssl) connections, man-in-the-middle attacks is possible. This isn't that big of a deal since the end goal, i presume, is to use this system to replace basic auth with is susceptible to both man-in-the-middle AND replay attacks. The concern here is that with Basic Auth, you will get a password dialog at least once per session and with the kerberos local client we aren't sure we will get any prompt. If there isn't a prompt at some point during the session, an attacker can cause a page load and act as the man-in-the-middle without ever having the user aware of this. Does this summarize the concern properly?
> Does this summarize the concern properly? Yes, good summary.
well, i would have thought it would be the responiblity of the kerberos library to ensure that access to single signon data is restricted. Any GSSAPI experts care to comment? In any case, we could just display a dialog similar to those which are displayed during https loads (such as mixed content, page transition from secure to insecure and visa versa). But, I am not sure that these dialog protect the user any better than not having them (assumption is that most users just blindly click OK).
(In reply to comment #211) > well, i would have thought it would be the responiblity of the kerberos library > to ensure that access to single signon data is restricted. Any GSSAPI experts > care to comment? What do you mean by "restricted" ? A user and service credentials (tickets) are protected with standard file permissions so that others may not read (or write) your tickets. MITM attacks are possible for all HTTP authentication methods that are not bound by SSL. This is an inherent weakness in the HTTP protocol. GSSAPI/Kerberos at least removes the Replay Attack scenario (outside of the typical 5 minute time sync window). Mutual authentication is also possible with GSSAPI/Kerberos, so the client may verify that it is talking to the "real" server. > > In any case, we could just display a dialog similar to those which are displayed > during https loads (such as mixed content, page transition from secure to > insecure and visa versa). But, I am not sure that these dialog protect the user > any better than not having them (assumption is that most users just blindly > click OK). I see little benefit to adding another dialog popup.
At this point, I'm leaning toward ripping out the nsIPermissionManager code and the prompting I added in the previous patch. I think a preference based solution as cneberg originally implemented may be best. It will be easier for IS departments and end-users to configure. The nsIPermissionManager based solution is not ideal since the settings are not easily edited by end-users or IS departments. I'm also very concerned about the fast approaching 1.7 beta deadline, and I want to get something into the tree. The big question is: what should the default value of "trustedURIs" be set to? We've debated back and forth on this issue. I think it comes down to expectations... i.e., do we need to solve the MITM exploit at this level? My sense is that we should start out with a more restrictive solution. We start out with only allowing kerberos auth over HTTPS, and then we document this feature in the release notes. Sound like a plan?
> "to ensure that access to single signon data is restricted." I meant basically, shouldn't the Kerberos local client worry about this prompting the user for creditials? Darin, restricting this authenication scheme to https is a good idea -- even better with a preference based whitelist of hosts that an IS person can add to. With that, I do not think you need to have any kind of dialog.
(In reply to comment #213) > At this point, I'm leaning toward ripping out the nsIPermissionManager code and > the prompting I added in the previous patch. I think a preference based > solution as cneberg originally implemented may be best. It will be easier for > IS departments and end-users to configure. The nsIPermissionManager based > solution is not ideal since the settings are not easily edited by end-users or > IS departments. I'm also very concerned about the fast approaching 1.7 beta > deadline, and I want to get something into the tree. YES. ME TOO! > > The big question is: what should the default value of "trustedURIs" be set to? > We've debated back and forth on this issue. I think it comes down to > expectations... i.e., do we need to solve the MITM exploit at this level? > > My sense is that we should start out with a more restrictive solution. We start > out with only allowing kerberos auth over HTTPS, and then we document this > feature in the release notes. > > Sound like a plan? Thats fine with me, but I would like it to be clearly documented so that people will know how to enable the feature for non-SSL sites and that they will know that the support actually exists. Maybe for the next release, the security panel could be modified to show the options for this feature. Perhaps an "Authentication" panel in the "security & privacy" section of the configuration dialog where various authentication related options could be placed.
(In reply to comment #215) > Maybe for the next release, the security panel could be modified > to show the options for this feature. Perhaps an "Authentication" > panel in the "security & privacy" section of the configuration dialog > where various authentication related options could be placed. getting UI changes into 1.7 for this feature is going to be difficult. i think we may end up resorting to release notes + about:config as the configuration solution for 1.7 :-(
Attached patch v3 patch (obsolete) — Splinter Review
ok, here's the revised patch. it includes the autoconf changes plus changes for the recent talk about prefs, etc. folks, please look this over and let me know if you see something out of wack. i don't have a kerberos setup, so i have not been able to fully test this patch. however, i have tested the whitelisting pref feature, and it appears to work correctly.
Attachment #141086 - Attachment is obsolete: true
Attachment #143338 - Flags: superreview?(bryner)
Attachment #143338 - Flags: review?(dougt)
setting blocking 1.7b flag to get this feature on drivers' radar.
Flags: blocking1.7b?
There are a couple of bugs in the configure.in script dealing with the location of the gssapi header files. GSSAPI headers are almost always located in a "gssapi" subdirectory such as "/usr/kerberos/include/gssapi" or "/usr/include/gssapi". Startng at line 5872: + dnl + dnl Try to set GSSAPI_INCLUDES ... + dnl + AC_CHECK_HEADERS(gssapi.h, + [GSSAPI_INCLUDES="-I$GSSAPI_DIR/include"]) + if test -z "$GSSAPI_INCLUDES" ; then + AC_CHECK_HEADERS(gssapi/gssapi.h, + [GSSAPI_INCLUDES="-I$GSSAPI_DIR/include"]) + fi Later, at line 5782: + AC_CHECK_HEADERS([gssapi/gssapi_generic.h]) + AC_TRY_COMPILE([ #include <gssapi/gssapi.h> ], + [ gss_OID oid = GSS_C_NT_HOSTBASED_SERVICE; ], + [AC_DEFINE(HAVE_GSS_C_NT_HOSTBASED_SERVICE)],[ + AC_MSG_WARN([GSS_C_NT_HOSTBASED_SERVICE not found]) + ]) Use AC_MSG_WARN instead of AC_MSG_ERROR or else the config will fail on systems that don't have GSS_C_NT_HOSTBASED_SERVICE, which is not the intention of that test.
thanks for the feedback wyllys. i'll fix up those autoconf issues shortly.
nelson, can you also review... we are looking to get many eyes on this since time is short to get reviewed and integrated for Mozilla 1.7beta
(In reply to comment #219) > There are a couple of bugs in the configure.in script dealing with the location > of the gssapi > header files. GSSAPI headers are almost always located in a "gssapi" subdirectory > such as "/usr/kerberos/include/gssapi" or "/usr/include/gssapi". Not always. Heimdal (and e.g. Globus as an example of non-krb5 GSSAPI implementation) store the header (they only export gssapi.h) in the include/ subdirectory. I tested the v3 patch with Heimdal and it builds like a charm, including the configuration stage. So please keep this scenario in mind when doing any changes to the configure script.
I can still see the problem described in comment #200. Mozilla isn't able to remember that the Negotiate method is required to access previously visited pages (or pages which are lower in the directory hieararchy). If I have e.g. a page containing images (stored in the same directory as the page), mozilla first authenticates to receive this pahe and then tries to get all the images without the Negotiate header, and only after the server replies with 401, it sends correct headers. Similarly when I push the reload button, mozilla first try accessing without the Authorization: header beining set. Is it possible to make mozilla work similarly as in e.g. case of Basic authentication, when mozilla remembers that a particular URL (and any other (lower) URLs starting with this URL) requires authentication and sends the username/password pair automaticaly?
Provided this patch gets approved and commited to the main trunk, are you planning to ship it as part of standard binary Mozilla distributions? If so, will the GSSAPI libraries staticaly linked to the binary, or dynamicaly leaving the possibility for the users to choose their local installation?
(In reply to comment #222) > (In reply to comment #219) > > There are a couple of bugs in the configure.in script dealing with the location > > of the gssapi > > header files. GSSAPI headers are almost always located in a "gssapi" > subdirectory > > such as "/usr/kerberos/include/gssapi" or "/usr/include/gssapi". > > Not always. Heimdal (and e.g. Globus as an example of non-krb5 GSSAPI > implementation) store the header (they only export gssapi.h) in the include/ > subdirectory. I tested the v3 patch with Heimdal and it builds like a charm, > including the configuration stage. So please keep this scenario in mind when > doing any changes to the configure script. The configure script uses 'krb5-config --cflags gssapi' to determine the correct paths when using Heimdal, so this should not be a problem as long as that script works as expected.
(In reply to comment #224) > Provided this patch gets approved and commited to the main trunk, are you > planning to ship it as part of standard binary Mozilla distributions? If so, > will the GSSAPI libraries staticaly linked to the binary, or dynamicaly leaving > the possibility for the users to choose their local installation? It should definitely be dynamic, IMO. static libs are BAD.
(In reply to comment #226) > The configure script uses 'krb5-config --cflags gssapi' to determine the > correct paths when using Heimdal, so this should not be a problem as long > as that script works as expected. Some installation doesn't have the krb5-config script installed but still have correct GSSAPI development enviroment available (e.g. Heimdal in OpenBSD). Moreover another (non-krb5) GSSAPI installations don't have such a script at all. In these cases the configure script should still be able to detect the headers/libraries.
(In reply to comment #226) > It should definitely be dynamic, IMO. static libs are BAD. I agree, if it doesn't conflict with some Mozilla installation/deployment requirements.
> Some installation doesn't have the krb5-config script installed but still have > correct GSSAPI development enviroment available (e.g. Heimdal in OpenBSD). > Moreover another (non-krb5) GSSAPI installations don't have such a script at > all. In these cases the configure script should still be able to detect the > headers/libraries. Regardless, I think the current configure script and code should support the gssapi.h file being in either */include or */include/gssapi/ From configure.in: ..... dnl dnl Try to set GSSAPI_INCLUDES ... dnl AC_CHECK_HEADERS(gssapi.h, [GSSAPI_INCLUDES="-I$GSSAPI_DIR/include"]) if test -z "$GSSAPI_INCLUDES" ; then AC_CHECK_HEADERS(gssapi/gssapi.h, [GSSAPI_INCLUDES="-I$GSSAPI_DIR/include"]) fi CPPFLAGS="$_SAVE_CPPFLAGS $GSSAPI_INCLUDES" .... The "AC_CHECK_HEADERS" tests set the following definitions: HAVE_GSSAPI_H or HAVE_GSSAPI_GSSAPI_H And from ntHttpGssapiAuth.cpp: #if defined(HAVE_GSSAPI_H) #include <gssapi.h> #elif defined(HAVE_GSSAPI_GSSAPI_H) #include <gssapi/gssapi.h> #endif So, it appears that the alternate locations for gssapi.h are handled.
(In reply to comment #229) > Regardless, I think the current configure script and code should support the > gssapi.h file being in either */include or */include/gssapi/ I agree > So, it appears that the alternate locations for gssapi.h are handled. Yes, it does. Reacting to your message saying that most of the installation use the gssapi subdirectory, I just wanted to note that there are another installations not doing so, and that behaviour of the configure should be retained.
the current patch builds libnegotiateauth.so, which will be loaded dynamically by mozilla when it encounters a page that requires "Negotiate" authentication. if dlopen fails, then the negotiateauth feature will simply be ignored by mozilla. it would obviously fail to load if the necessary gssapi libraries are not present on the end user's system. this same build configuration will still be used when the main mozilla code is compiled and linked into a single executable (the so called static build of mozilla, which firefox uses). as for getting mozilla builds to ship with this feature, if we're successful getting the patch in for 1.7, then i'll work on making sure that the official linux builds include this component. we might enable it for OSX as well. all other unix builds are community contributed, so we'd need to talk to those folks to see about enabling this in their builds.
Comment on attachment 143338 [details] [diff] [review] v3 patch >+void >+nsGssapiContinuationState::Reset() >+{ >+ if (mCtx != GSS_C_NO_CONTEXT) >+ { Be consistent about brace style. >+ if (len > kNegotiateLen) { >+ challenge += kNegotiateLen; >+ while (*challenge == ' ') challenge++; >+ len = strlen(challenge); >+ >+ input_token.length = (len * 3)/4; I assume this does not need to be null terminated. >+ char *hostList; >+ if (NS_FAILED(prefs->GetCharPref(pref, &hostList)) || !hostList) >+ return PR_FALSE; >+ I think you're leaking hostList. >+ // pseudo-BNF >+ // ---------- >+ // >+ // url-list base-url ( base-url "," LWS )* >+ // base-url ( scheme-part | host-part | scheme-part host-part ) >+ // scheme-part scheme "://" >+ // host-part host [":" port] >+ // >+ // for example: >+ // "https://, http://office.foo.com" >+ // >+ >+ char *start = hostList, *end; >+ for (;;) { >+ // skip past any whitespace >+ while (*start == ' ' || *start == '\t') >+ ++start; >+ end = strchr(start, ','); >+ if (!end) >+ end = start + strlen(start); >+ if (start == end) >+ break; >+ if (MatchesBaseURI(scheme, host, port, Substring(start, end))) Is there extra overhead from constructing a Substring object here? I notice it's manipulated in MatchesBaseURI mostly with standard libc string functions. Would it be faster to just use strncmp() in MatchesBaseURI, or is Substring() really close to no overhead? >+ // if we didn't parser out a host, then assume we got a match. "parse" sr=bryner with those points addressed.
Attachment #143338 - Flags: superreview?(bryner) → superreview+
thanks bryner! i also removed MODULE_NAME from Makefile.in since we want this component to remain dynamic even in static mozilla builds.
Attachment #143338 - Flags: review?(dougt) → review+
Comment on attachment 143338 [details] [diff] [review] v3 patch requesting drivers approval for 1.7b
Attachment #143338 - Flags: approval1.7b?
Attached patch v3.1 patchSplinter Review
here's the revised patch. i've tested this on rh9 and fc1. in both cases the configure fu correctly detects the kerberos headers and libs. this should be sufficient to enable us to build linux and osx nighties with kerberos support included. if we need to make further autoconf changes for other platforms, we can do so as a follow-up patch.
Attachment #143338 - Attachment is obsolete: true
Comment on attachment 143338 [details] [diff] [review] v3 patch a=chofmann for 1.7b
Attachment #143338 - Flags: approval1.7b? → approval1.7b+
v3.1 patch checked in for Mozilla 1.7 beta. Now to ensure that the build machines have GSSAPI installed :-) this bug remains open for the SSPI work.
chofmann suggested that i open a new bug for the WIN32 implementation. he makes the point that we want to be able to have a closed bug for bug tracking and testing purposes. so, marking FIXED. see bug 237586 for the SSPI implementation for Windows.
Blocks: 237586
Status: ASSIGNED → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
Summary: I want Kerberos authentication and TGT forwarding → I want Kerberos authentication and TGT forwarding [using GSSAPI]
Flags: blocking1.7b?
While it's very nice to see Mozilla now supports Kerberos authentication, I'm having a tough time finding documentation on how to use it. What Apache module(s) are supported? What about IIS? If documentation is available, where is it available? If no documentation has been written would you like some help writing it?
By default, mozilla will only respond to requests for "Negotiate" authentication over an https connection. However, this can be overridden by setting the following configuration parameters (see the "about:config" page to quickly find and set these): network.negotiate-auth.delegation-uris "http://,https://" network.negotiate-auth.trusted-uris: "http://,https://" It is highly recommended that sites that use Negotiate authentication also protect those connections with TLS (SSL) and do proper certificate validation on the TLS session. These options can obviously be made alot more specific. For example, if you only want to trust specific sites, add their URLs in a comma separated list. ex: http://foo.bar.com,https://foo.bar.com There are several apache modules out there that seem to work OK. Daniel Kouril (the original author of this extension) has one at: http://modauthkerb.sourceforge.net that will work. I am also working on a simple module that just supports the Negotiate method and removes the dependencies on the Kerberos API. However, until one of these modules gets accepted into Apache "officially", results may vary depending on the quality of the implemented module. Microsoft IIS also has this support already, enable "Integrated Windows Authentication" on the directories or pages and make sure your client system is set up to use the Active Directory KDC and it should work.
nalin@redhat.com says that we're still requesting mutual auth and not dealing with bad data that is sent back from the server. He recommends that we either 1. Not request mutual auth. or 2. Verify the identity of the server if we're requesting it. Yes, this is hashed out above in the bug but it's hard to follow the thread. Is there a valid reason that we're requesting it and not dealing with it? Nalin does have a patch that does most of the hard work in verifying it, minus the UI required to inform the user that the server is Evil.
(In reply to comment #241) >Is there a valid reason that we're requesting it and not dealing with it? Nalin > does have a patch that does most of the hard work in verifying it, minus the UI > required to inform the user that the server is Evil. The problem was addressed in an very early version of this fix, but it involved making changes to netwerk/protocol/http/src/nsHttpChannel.cpp to handle the case where you get a "200" response which also contains WWW-Authenticate header that has the final GSSAPI token data needed to complete the mutual-auth. (Take a look at the patch submitted 2003-10-30, it has the changes in there for handling this situation.) At the time, there were objection from some on the mozilla.org team (I think) to making this change because it was considered "non-standard" and there was a strong desire to keep the extension code completely isolated in the extension module area. I thought we had agreed to disable MUTUAL_AUTH until a later time when the mutual auth fix could be addressed. If it is now considered acceptable to modify the nsHttpChannel code to handle this strange case, then I am in favor of adding proper support for Mutual authentication. If not, then just turn off the MUTUAL_AUTH flag in the gss_init_sec_context call and don't to mutual auth. I would like to see the Nalin's patch, can it be added to the record for this bug just for reference?
I agree. Turn Mutual auth off until we can do it correctly, we are just wasting bandwidth in our current version. Let's open a different bug for adding mutual auth support so we can hash it out there and this bug can remain closed (it's already way too long).
ok, i filed the following bugs: bug 239734 - negotiateauth extension should not request mutual auth bug 239735 - add kerberos mutual auth support to the negotiateauth extension the first bug is targeting 1.7 final, and the second is futured. patches welcome :)
The patch adds an additional parameter to nsIHttpAuthenticator::generateCredentials which can be used to indicate that the server must supply additional data, and a field to nsHttpChannel which is used to keep track of this state. Initially, this flag is false, but is set to true if gss_init_sec_context returns GSS_C_CONTINUE_NEEDED. If a 2xx or 3xx response is received (I'm not certain whether or not the spec requires this, but mod_auth_kerb is happy to perform mutual auth for a redirect), the flag is checked. Handling of errors is very rough, so it still needs work, if this is even the right approach.
Nalin: Thank you for the patch, but I'd greatly appreciate it if you would attach it to bug 239735 instead so we can discuss it there. This bug is closed. Thx!!
In order to get ticket forwarding to work on Mac OS X 10.3 I had to create /etc/krb5.conf. The following worked for me: [libdefaults] default_realm = FOO.RH.RIT.EDU [realms] FOO.RH.RIT.EDU = { kdc = foo.rh.rit.edu:88 default_domain = foo.rh.rit.edu } [domain_realm] foo.rh.rit.edu = FOO.RH.RIT.EDU Is there an easier/different way to get ticket passing to work or is creating the conf file a given?
On Mac OS X, the equivalent of /etc/krb5.conf is found at /Library/Preferences/edu.mit.Kerberos. It uses exactly the same config options as krb5.conf. You can symlink to edu.mit.Kerberos to make this work at the moment.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: