Provide AUTHID to GSS to select correct principal#871
Open
michael-dev wants to merge 1 commit intocyrusimap:masterfrom
Open
Provide AUTHID to GSS to select correct principal#871michael-dev wants to merge 1 commit intocyrusimap:masterfrom
michael-dev wants to merge 1 commit intocyrusimap:masterfrom
Conversation
Contributor
|
Why are the client and server sharing a single keytab file? That's inherently insecure, since it allows arbitrary entities to authenticate as either of them. |
When using postfix smtp client with KRB5_CLIENT_KTNAME for relayhost
authentication, the first entry in the client keytab is always used.
For /etc/krb5.keytab, this might be a service principal of the host
instead of the user principal, so gss_init_sec_context then fails -
AS-REQ fails for service principals, only works for user principals.
Fix this by using the authid supplied by postfix to provide a
desired name to gss_acquire_cred (if present).
Postfix config:
smtp_sasl_auth_enable = yes
smtp_sasl_mechanism_filter = gssapi
smtp_sasl_password_maps = static:HOSTNAME$$@EXAMPLE.ORG:irrelevant
import_environment = ... KRB5_CLIENT_KTNAME=/etc/krb5.keytab \
KRB5CCNAME=MEMORY:
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
michael-dev
force-pushed
the
bugfix/gssapi-select-principal
branch
from
2515cf9 to
8ce5827
Compare
Author
|
No, client and server do not share a keytab. On the client, I have /etc/krb5.keytab which contains the machine account. So I want to use the machine account of the client to authenticate to the server (for system mails, e.g.from CRON). |
Contributor
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
When using postfix smtp client with KRB5_CLIENT_KTNAME for relayhost authentication, the first entry in the client keytab is always used. For /etc/krb5.keytab, this might be a service principal of the host instead of the user principal, so gss_init_sec_context then fails - AS-REQ fails for service principals, only works for user principals.
Fix this by using the authid supplied by postfix to provide a desired name to gss_acquire_cred (if present).
Postfix config:
smtp_sasl_auth_enable = yes
smtp_sasl_mechanism_filter = gssapi
smtp_sasl_password_maps = static:HOSTNAME$$@EXAMPLE.ORG:irrelevant
import_environment = ... KRB5_CLIENT_KTNAME=/etc/krb5.keytab KRB5CCNAME=MEMORY: