svnserve and sasl cross-realm (was: svnserve and ldap status ?)

[Alec Kloss <al...@oracle.com>]

On 2010-03-23 11:16, Alec Kloss wrote:
> On 2010-03-23 17:11, Stefan Sperling wrote:
>  
> > Hi Alec,
> > 
> > I remember your patch. It looked pretty simple and OK to me, but
> > I didn't feel confident enough about my own understanding of what
> > the patch really does.
[chop]
> 
> Sure thing.  I'll try to write up a giant setup script for the whole
> deal.  Note that my patch is mostly important in cross-realm cases which
[chop]

Please see the attached testsvncrossrealm.sh and results.txt files.
There's a kinda unfun list of prerequisites for the script to work
right.  There's a comment block at the top of the script describing
what needs to be changed including a patch to Cyrus SASL.  

You should be able to use this script to see what Cyrus SASL does 
and how my changes to cyrus_auth.c deal with cross-realm.

I'd be happy to discuss or help you configure a test environment
further.  Kerberos+SASL+GSSAPI has a somewhat steep learning curve.

-- 
Alec.Kloss@oracle.com			Oracle Middleware
PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xEBD1FF14

Re: svnserve and sasl cross-realm (was: svnserve and ldap status ?)

[Alec Kloss <al...@oracle.com>]

On 2010-05-06 11:41, Stefan Sperling wrote:
> On Tue, May 04, 2010 at 10:38:00AM -0500, Alec Kloss wrote:
> > I'm happy to help try to set up a configuration that will demonstrate
> > the issue without patching Cyrus SASL.  It'll just require a "real"
> > Kerberos realm to do it.
> 
> Is it also possible to use this without any kerberos at all?

I don't think SASL has any other mechanisms that supports cross-realm at
all, but I could be wrong about that.  Unless you find another mechanism 
that supports cross-realm, I don't think you'll be able to replicate
this without GSSAPI/Kerberos.

> I'd like to start with the simplest possible setup (so I have a better
> chance of understanding it), and then add more complexity while testing.
> 
> Stefan
> 

-- 
Alec.Kloss@oracle.com			Oracle Middleware
PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xEBD1FF14

Re: svnserve and sasl cross-realm (was: svnserve and ldap status ?)

[Stefan Sperling <st...@elego.de>]

On Tue, May 04, 2010 at 10:38:00AM -0500, Alec Kloss wrote:
> I'm happy to help try to set up a configuration that will demonstrate
> the issue without patching Cyrus SASL.  It'll just require a "real"
> Kerberos realm to do it.

Is it also possible to use this without any kerberos at all?

I'd like to start with the simplest possible setup (so I have a better
chance of understanding it), and then add more complexity while testing.

Stefan

Re: svnserve and sasl cross-realm (was: svnserve and ldap status ?)

[Alec Kloss <al...@oracle.com>]

On 2010-05-04 16:22, Stefan Sperling wrote:
> On Tue, Mar 23, 2010 at 10:16:25PM +0100, Stefan Sperling wrote:
> > On Tue, Mar 23, 2010 at 03:58:50PM -0500, Alec Kloss wrote:
> > > Now please see attached.
> > 
> > Thanks. I'll try to look at this soon.
> > 
> > I've also downloaded a couple of related RFCs (e.g. RFC4422) for reference,
> > as well as cyrus-sasl source code -- the binaries are already installed cause
> > sendmail uses them, but I've never used SASL for anything other than smtp
> > auth with sendmail, and that is pretty simple to set up.
> 
> I've given this a look today.
> 
> The SASL documentation mentions that cross-realm support depends on
> the application, so your approach at solving the problem in Subversion
> is correct.
> 
> What worries me is that your patch to the SASL gssapi module is needed
> to make use of cross-realm authentication with Kerberos.
> It seems the SASL developers have not responded to your patch (at least
> they did not respond publicly):
> http://asg.andrew.cmu.edu/archive/message.php?mailbox=archive.cyrus-sasl&msg=9372
> Do you have an idea about whether the patch will be applied to SASL?
> 
> Is there any useful purpose for cross-realm authentication without
> using Kerberos? If so, can you suggest a way for me to test this
> without patching SASL? If not, I'd rather wait for your gssapi patch
> to be included in SASL before adding support for this to Subversion.
> We can't require all users to patch SASL...
> 
> (The gssapi patch in the script you attached is reversed, BTW.)

Thanks for taking time to look.

The GSSAPI patch to SASL is to work around issues with canonicalization
of hostnames.  It's only required for my test script to work;  it is
possible to make GSSAPI cross-realm work without it but requires either
careful DNS configuration (ie. the dns name the client uses to access
subversion must match what gethostname(2) returns on the machine running
the Subversion server) or a bit of configuration to get the KDC to
produce a "referral" for the correct name.  As I recall, KDC referrals
were added to heimdal in 1.3 (but only for the hdb datastore, not the
ldap datastore).

Generally speaking, even though Cyrus SASL hasn't uptaken the idea of
using GSS_C_NO_NAME or a configurable service host name, the heimdal
folks at least think something along those lines is a good idea.  Sadly,
I haven't seen much sign of life from Cyrus SASL lately.

I'm happy to help try to set up a configuration that will demonstrate
the issue without patching Cyrus SASL.  It'll just require a "real"
Kerberos realm to do it.

-- 
Alec.Kloss@oracle.com			Oracle Middleware
PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xEBD1FF14

Re: svnserve and sasl cross-realm (was: svnserve and ldap status ?)

[Stefan Sperling <st...@elego.de>]

On Tue, Mar 23, 2010 at 10:16:25PM +0100, Stefan Sperling wrote:
> On Tue, Mar 23, 2010 at 03:58:50PM -0500, Alec Kloss wrote:
> > Now please see attached.
> 
> Thanks. I'll try to look at this soon.
> 
> I've also downloaded a couple of related RFCs (e.g. RFC4422) for reference,
> as well as cyrus-sasl source code -- the binaries are already installed cause
> sendmail uses them, but I've never used SASL for anything other than smtp
> auth with sendmail, and that is pretty simple to set up.

I've given this a look today.

The SASL documentation mentions that cross-realm support depends on
the application, so your approach at solving the problem in Subversion
is correct.

What worries me is that your patch to the SASL gssapi module is needed
to make use of cross-realm authentication with Kerberos.
It seems the SASL developers have not responded to your patch (at least
they did not respond publicly):
http://asg.andrew.cmu.edu/archive/message.php?mailbox=archive.cyrus-sasl&msg=9372
Do you have an idea about whether the patch will be applied to SASL?

Is there any useful purpose for cross-realm authentication without
using Kerberos? If so, can you suggest a way for me to test this
without patching SASL? If not, I'd rather wait for your gssapi patch
to be included in SASL before adding support for this to Subversion.
We can't require all users to patch SASL...

(The gssapi patch in the script you attached is reversed, BTW.)

Thanks,
Stefan

Re: svnserve and sasl cross-realm (was: svnserve and ldap status ?)

[Stefan Sperling <st...@elego.de>]

On Tue, Mar 23, 2010 at 03:58:50PM -0500, Alec Kloss wrote:
> Now please see attached.

Thanks. I'll try to look at this soon.

I've also downloaded a couple of related RFCs (e.g. RFC4422) for reference,
as well as cyrus-sasl source code -- the binaries are already installed cause
sendmail uses them, but I've never used SASL for anything other than smtp
auth with sendmail, and that is pretty simple to set up.

Stefan

Re: svnserve and sasl cross-realm (was: svnserve and ldap status ?)

[Alec Kloss <al...@oracle.com>]

On 2010-03-23 15:57, Alec Kloss wrote:
> On 2010-03-23 11:16, Alec Kloss wrote:
> > On 2010-03-23 17:11, Stefan Sperling wrote:
> >  
> > > Hi Alec,
> > > 
> > > I remember your patch. It looked pretty simple and OK to me, but
> > > I didn't feel confident enough about my own understanding of what
> > > the patch really does.
> [chop]
> > 
> > Sure thing.  I'll try to write up a giant setup script for the whole
> > deal.  Note that my patch is mostly important in cross-realm cases which
> [chop]
> 
> Please see the attached testsvncrossrealm.sh and results.txt files.
> There's a kinda unfun list of prerequisites for the script to work
> right.  There's a comment block at the top of the script describing
> what needs to be changed including a patch to Cyrus SASL.  
> 
> You should be able to use this script to see what Cyrus SASL does 
> and how my changes to cyrus_auth.c deal with cross-realm.
> 
> I'd be happy to discuss or help you configure a test environment
> further.  Kerberos+SASL+GSSAPI has a somewhat steep learning curve.
> 
> -- 
> Alec.Kloss@oracle.com			Oracle Middleware
> PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xEBD1FF14

Now please see attached.

-- 
Alec.Kloss@oracle.com			Oracle Middleware
PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xEBD1FF14