'Re: [cifs-protocol] [REG:115070812924583] No mention of deviation from MS-KILE regarding non-gssapi '

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       cifs-protocol
Subject:    Re: [cifs-protocol] [REG:115070812924583] No mention of deviation from MS-KILE regarding non-gssapi 
From:       Andrew Bartlett <abartlet () samba ! org>
Date:       2015-07-08 21:38:42
Message-ID: 1436391522.5272.118.camel () jesse
[Download RAW message or body]

On Wed, 2015-07-08 at 21:30 +0000, Tarun Chopra wrote:
> Hello Andrew
> 
> We have created a case; 115070812924583, to track your inquiry and Sreekanth \
> (lopped in Cc) will be assisting you further.

Thanks,

> -----Original Message-----
> From: Andrew Bartlett [mailto:abartlet@samba.org] 
> Sent: Wednesday, July 8, 2015 2:10 PM
> To: Interoperability Documentation Help
> Cc: cifs-protocol@lists.samba.org
> Subject: No mention of deviation from MS-KILE regarding non-gssapi or absent \
> checksums in AP-REQ 
> RFC 4121 4.1.1 says that the checksum MUST be provided in the AP-REQ packet from \
> the client to the application server in the initial GSSAPI exchange (eg, the input \
> to accept_sec_context).  
> "The authenticator in the KRB_AP_REQ message MUST include the optional  sequence \
> number and the checksum field.  The checksum field is used  to convey service \
> flags, channel bindings, and optional delegation  information." 
> In order for Samba to interoperate with a "Huawei Unified Storage System
> S5500 V3" we found that we not only had to allow a krb5 checksum (that Samba \
> erroneously produced for many years), but also no checksum entirely. 
> Tests (patches to Samba's own fake gssapi implementation) show that Windows also \
> accepts this. 
> This deviation from RFC4121 isn't documented in MS-KILE.  Can you please explain \
> what is going on here? 
> As context, allowing no checksum caused a DoS in MIT krb5 due to a NULL pointer \
> de-reference in http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-005.txt  
> I don't see this as a security issue, as despite the name the checksum is being \
> re-used simply as an opaque data field, in an authenticated packet. 

As further context, see proposed patches to heimdal and samba at:

https://github.com/heimdal/heimdal/pull/134
https://git.samba.org/?p=abartlet/samba.git/.git;a=shortlog;h=refs/heads/allow-no-krb5-checksum

Thanks!

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

_______________________________________________
cifs-protocol mailing list
cifs-protocol@lists.samba.org
https://lists.samba.org/mailman/listinfo/cifs-protocol

[prev in list] [next in list] [prev in thread] [next in thread] 