Hi Isaac, thanks for the reply
On Tue, Jul 26, 2022 at 11:06 AM Isaac Boukris iboukris@gmail.com wrote:
Hi Andreas,
On Mon, Jul 25, 2022 at 6:00 PM Andreas Hasenack andreas@canonical.com wrote:
Hello,
That's exactly case[5] you refer to above, the answer is as in the comment; it will be rejected with old MIT libs but not with newer ones nor it will be rejected with heimdal. To get the client rejected you
I was using MIT krb 1.19, I thought it was new enough :)
need that both client and server set bindings and that those bindings don't match. Otherwise, to properly handle this case where the server sets binding and not the client, the returned flags could be checked for GSS_C_CHANNEL_BOUND_FLAG which was added in recent Heimdal/MIT libs, see links below. I guess new server option could be added to require CBT, implemented by checking this flag.
Thanks for the explanation.
MIT and Heimdal related changes: https://github.com/krb5/krb5/pull/1047
This was merged in 2020, but doesn't seem to be in any release yet, just in the master branch. This seems to be a trend with sasl gssapi channel binding patches ;)
Merged in 2021, but also not in any release yet