Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement 'krb5_verify_init_creds' #14

Open
stupidpupil opened this issue Jul 31, 2016 · 3 comments
Open

Implement 'krb5_verify_init_creds' #14

stupidpupil opened this issue Jul 31, 2016 · 3 comments
Assignees
@sonOfRa

Comments

@stupidpupil
Copy link

stupidpupil commented Jul 31, 2016
edited
Loading

Several libraries have been created to allow Ruby applications to authenticate users using their Kerberos credentials, via the krb5_get_init_creds_password function provided by rkerberos, in the context of frameworks like Devise and OmniAuth.

None of these libraries currently check that the credentials obtained using a user's password actually come from a trusted KDC. They are therefore vulnerable to spoofing of the KDC, historically known as the 'Zanarotti attack'. I have knocked together my own code here (and I'd be very glad of any feedback from people more familiar with the Kerberos library) to support obtaining and verifying initial credentials securely.

However I would like to be able to submit pull requests to these various existing projects to at least allow them to be used securely with the correct configuration without trying to unnecessarily move them away from rkerberos.

To that end, I'm requesting that rkerberos implement the krb5_verify_init_creds function. (I would try to do it myself, but I don't trust myself not to make a complete mess of writing any C…)
@sonOfRa
Copy link
Collaborator

sonOfRa commented Sep 29, 2016

Hi!
I'll see what I can do on this front, but there's some other things that I'll take care of first, #9 being the first priority on my list. Proper verification of credentials is something I can look into after that.

@sonOfRa sonOfRa self-assigned this Oct 12, 2016
@sonOfRa
Copy link
Collaborator

sonOfRa commented Oct 12, 2016
edited
Loading

I've started working on this in my fork in the credentials branch: https://github.com/sonOfRa/rkerberos/tree/credentials

I'd greatly appreciate feedback on this (and suggestions as to how I'm supposed to write tests for this).

@stupidpupil
Copy link
Author

stupidpupil commented Oct 12, 2016
edited
Loading

Regarding testing, I struggled to come up with sensible unit tests but I did find that validating behaviour against an actual Kerberos server was helpful for me.

I should admit that I'm now unlikely to make use of any work on krb5_verify_init_creds. I've had no response on any of the five issues that I've opened against gems that fetch but then fail to verify Kerberos credentials. Raising it with GitLab (as their product depends on one of these gems), I was invited to fix the issue myself or forget about it. Perhaps I've overestimated the vulnerability that failing to verify credentials presents.

The gem that I've written in the meantime serves my needs and it's a little bit more portable than rkerberos (not least because it has far less functionality, I hasten to add).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sonOfRa sonOfRa

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@stupidpupil @sonOfRa