--On Friday, November 17, 2017 12:53 PM +1000 William Brown wibrown@redhat.com wrote:
Hi William,
Hey mate,
Just want to point out there are some security risks with ssf settings. I have documented these here:
https://fy.blackhats.net.au/blog/html/2016/11/23/the_minssf_trap.html
This is a flaw in the ldap protocol and can never be resolved without breaking the standard. The issue is that by the time the ssf check is done, you have already cleartexted sensitive material.
I think what you mean is: There is no way with startTLS to prevent possible leakage of credentials when using simple binds. ;) Your blog certainly covers this concept well, but just wanted to be very clear on what the actual issue is. ;) I've been rather unhappy about this for a long time as well, and have had a discussion going on the openldap-devel list about LDAPv4 and breaking backwards compatibility to fix this protocol bug.
Another note -- The reason GSSAPI shows up as an SSF of 56 is because it has been hard coded that way in cyrus-sasl. Starting with cyrus-sasl version 2.1.27, which is near release, the actual SASL SSF is finally passed back into the caller. It may be worthwhile noting this in your blog post. ;)
Warm regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com