Adam Bernstein
2016-03-01 19:00:02 UTC
_*BACKGROUND*_*:*
VMware vcenter product initial configuration uses a GSSAPI plugin
implementing the Secure Remote Password (SRP) protocol. This is a
"bootstrap" authentication protocol, used to store initial
authentication identities in our LDAP directory, and other operations
requiring security. During configuration, DCE/RPC secured by GSSAPI/SRP
is used. Once configured, DCE/RPC secured by GSSAPI/KRB5 is used. We are
using MIT Kerberos version 1.14.
_*ISSUE:*_
During development, we discovered an expired Kerberos credentials cache
causes GSSAPI krb5_gss_inquire_cred() to fail with the error
GSS_S_CREDENTIALS_EXPIRED. This prevents SPNEGO from attempting
authentication with plugin mechanisms configured in /etc/gss/mech.
To reproduce this problem, the current user must have a Kerberos
credentials cache containing an expired krbtgt. For example, see the
below expired credentials cache:
# /opt/likewise/bin/klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: sles11-***@VSPHERE.LOCAL
Valid starting Expires Service principal
02/24/2016 16:28:36 02/24/2016 16:34:34 krbtgt/***@VSPHERE.LOCAL
GSSAPI authentication with SRP is not possible for the user
"sles11-***@VSPHERE.LOCAL" when this expired ticket
exists. After deleting this expired cache, SPNEGO authentication
proceeds to SRP.
_*PROPOSED SOLUTION:*_
Attached is a patch for gssapi/mechglue/g_inq_cred.c : gss_inq_cred()
which fixes this issue.
The strategy used in this patch is rather than returning the error
GSS_S_CREDENTIALS_EXPIRED, skip adding the Kerberos mech OID to the
"mechs" OID set.
When krb5_gss_inquire_cred() returns GSS_S_CREDENTIALS_EXPIRED,
mech_offset is set to 1. The assumption made here is the Kerberos mech
OID always exists and is always first in the union_cred->mechs array.
When GSS_S_CREDENTIALS_EXPIRED is returned, the Kerberos OID is not
added to the mechs OID set.
Should "mechanisms" be NULL, the original behavior of returning an empty
OID set is preserved, unless krb5_gss_inquire_cred() failed with
GSS_S_CREDENTIALS_EXPIRED, then that error is returned.
Note: The patch does properly preserve tab/space indentation. Depending
on your email reader, this may not appear to be true.
Please consider accepting the following patch for inclusion in the next
release of MIT Kerberos.
Thanks,
Adam
====
Adam Bernstein
Staff Engineer, VMware
***@vmware.com
500 108th Ave NE, Bellevue WA, 98004
VMware vcenter product initial configuration uses a GSSAPI plugin
implementing the Secure Remote Password (SRP) protocol. This is a
"bootstrap" authentication protocol, used to store initial
authentication identities in our LDAP directory, and other operations
requiring security. During configuration, DCE/RPC secured by GSSAPI/SRP
is used. Once configured, DCE/RPC secured by GSSAPI/KRB5 is used. We are
using MIT Kerberos version 1.14.
_*ISSUE:*_
During development, we discovered an expired Kerberos credentials cache
causes GSSAPI krb5_gss_inquire_cred() to fail with the error
GSS_S_CREDENTIALS_EXPIRED. This prevents SPNEGO from attempting
authentication with plugin mechanisms configured in /etc/gss/mech.
To reproduce this problem, the current user must have a Kerberos
credentials cache containing an expired krbtgt. For example, see the
below expired credentials cache:
# /opt/likewise/bin/klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: sles11-***@VSPHERE.LOCAL
Valid starting Expires Service principal
02/24/2016 16:28:36 02/24/2016 16:34:34 krbtgt/***@VSPHERE.LOCAL
GSSAPI authentication with SRP is not possible for the user
"sles11-***@VSPHERE.LOCAL" when this expired ticket
exists. After deleting this expired cache, SPNEGO authentication
proceeds to SRP.
_*PROPOSED SOLUTION:*_
Attached is a patch for gssapi/mechglue/g_inq_cred.c : gss_inq_cred()
which fixes this issue.
The strategy used in this patch is rather than returning the error
GSS_S_CREDENTIALS_EXPIRED, skip adding the Kerberos mech OID to the
"mechs" OID set.
When krb5_gss_inquire_cred() returns GSS_S_CREDENTIALS_EXPIRED,
mech_offset is set to 1. The assumption made here is the Kerberos mech
OID always exists and is always first in the union_cred->mechs array.
When GSS_S_CREDENTIALS_EXPIRED is returned, the Kerberos OID is not
added to the mechs OID set.
Should "mechanisms" be NULL, the original behavior of returning an empty
OID set is preserved, unless krb5_gss_inquire_cred() failed with
GSS_S_CREDENTIALS_EXPIRED, then that error is returned.
Note: The patch does properly preserve tab/space indentation. Depending
on your email reader, this may not appear to be true.
Please consider accepting the following patch for inclusion in the next
release of MIT Kerberos.
Thanks,
Adam
====
Adam Bernstein
Staff Engineer, VMware
***@vmware.com
500 108th Ave NE, Bellevue WA, 98004