Simon Wilkinson wrote:
On 15 Apr 2008, at 21:32, Howard Chu wrote:
As explained previously on this list, it's a difference in philosophy, not a bug. Heimdal and OpenLDAP follow the Unix philosophy - permission checking is done upon first access to a resource. Once you obtain access to the resource, it's yours until you give it up, no matter what other subsequent permission changes occur while you're using it.
I think you're conflating short and long term keys here, along with permission checks and cryptography.
When you're using a SASL security layer, you're (generally) using a cryptographically secured connection of some sort. Many cryptographic protocols have some form of restriction on the length of time you can use a key for. This may be based on the amount of data transmitted, or the designated lifetime of a key. Unfortunately, SASL has no way of communicating these restrictions to the application layer - the only way it can do so is by failing encode and decode operations. In this case, it is currently the applications responsibility to catch this failure, and negotiate a new security context.
You're presuming that negotiating a new context for the current session is an acceptable action. For Kerberos, there's no way to distinguish between the session key expiring, and the TGT expiring. In the former case, an app can transparently obtain a new service ticket, but in the latter case, the only recovery you can do requires visible user interaction.
You might argue that the MIT approach is more correct, but I would say that it's highly inconsistent, and inconsistency is highly undesirable in a security mechanism. For instance, by your thinking, if you decide that security contexts must all be invalidated whenever and wherever they are changed, then you also need to close all connections whenever somebody changes their password, because any sessions established with the old password must now be considered invalid.
Not at all. My password has no role in protecting that connection once it has been established.
No, but it allowed you to establish the connection in the first place. As such, by your logic, changing it should invalidate the connection.
A short term encryption key does. Sites may have many reasons for the lifetimes they pick for short term keys and particular algorithms may require lifetime restrictions. Applications which use these keys should respect these wishes. For example, ssh rekeys its connections in accordance with the expiry of the keys which _protect_ that connection (in the ssh case, this isn't the Kerberos key).
However, coming back to OpenLDAP specifics. Whatever the rights and wrongs of the Kerberos particular case, OpenLDAP doesn't handle the situation where sasl_{en,de}code fails. The SASL layer is within its rights to fail these operations, so I believe the fact that this failure breaks syncrepl is a bug.
ssh and GSSAPI may be analogous here. In that respect, these layers should renegotiate keys transparently so that upper layers never see it. The fact that SASL doesn't expose lifetime restrictions either means (a) apps aren't supposed to have to worry about them or (b) the SASL design is broken.