You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@subversion.apache.org by Alec Kloss <al...@setfilepointer.com> on 2009/03/21 12:07:40 UTC
Re: [Patch] Subversion 1.5 SASL doesn't work correctly with
Kerberos cross-realm authentication
I once pined:
On 2008-08-12 14:00, Alec Kloss wrote:
> First off, Subversion's code is lovely to read.
>
> The subject pretty much says it all. The SASL support in
> Subversion 1.5 blindly removes realm specifiers from the user's
> authentication.
>
> There's a seatbelt early in cyrus_auth.c which protects against
> security problems associated with removing the realm as described
> by this comment:
>
> /* The only valid realm is user_realm (i.e. the repository's realm).
> If the user gave us another realm, complain. */
>
> Later, at the end of cyrus_auth_request() the realm is yanked off
> of the authenticated user, which creates the potential security
> issue that the seatbelt in cyrus_auth.c is protecting against:
>
> if ((p = strchr(user, '@')) != NULL)
> /* Drop the realm part. */
> b->user = apr_pstrndup(b->pool, user, p - (char *)user);
> else
>
> I guess I'd propose changing the default behavior to allow
> cross-realm and strip the realm part off in cyrus_auth_request()
> if-and-only-if it matches the configured "user_realm". I'd like to
> see a flag to disable the stripping of the realm entirely, as
> people with lots of cross-realm will almost certainly prefer that.
>
> (And while I'm commenting, has no one looked into logging in
> svnserve since 2005? It's kinda a big thing to be missing, at
> least among the paranoid.)
Please see attached patch. It works against 1.6.0 and trunk r36738.
--
Alec Kloss alec@SetFilePointer.com IM: daemonalec@gmail.com
PGP key at http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xA241980E
"No Bunny!" -- Simon, http://wiki.adultswim.com/xwiki/bin/Frisky+Dingo/Simon
Re: [Patch] Subversion 1.5 SASL doesn't work correctly with
Kerberos cross-realm authentication
Posted by Gavin Baumanis <ga...@thespidernet.com>.
I have created Issue #3394 and attached the proposed patch.
Gavin.
On 21/03/2009, at 11:07 PM, Alec Kloss wrote:
> I once pined:
>
> On 2008-08-12 14:00, Alec Kloss wrote:
>> First off, Subversion's code is lovely to read.
>>
>> The subject pretty much says it all. The SASL support in
>> Subversion 1.5 blindly removes realm specifiers from the user's
>> authentication.
>>
>> There's a seatbelt early in cyrus_auth.c which protects against
>> security problems associated with removing the realm as described
>> by this comment:
>>
>> /* The only valid realm is user_realm (i.e. the repository's
>> realm).
>> If the user gave us another realm, complain. */
>>
>> Later, at the end of cyrus_auth_request() the realm is yanked off
>> of the authenticated user, which creates the potential security
>> issue that the seatbelt in cyrus_auth.c is protecting against:
>>
>> if ((p = strchr(user, '@')) != NULL)
>> /* Drop the realm part. */
>> b->user = apr_pstrndup(b->pool, user, p - (char *)user);
>> else
>>
>> I guess I'd propose changing the default behavior to allow
>> cross-realm and strip the realm part off in cyrus_auth_request()
>> if-and-only-if it matches the configured "user_realm". I'd like to
>> see a flag to disable the stripping of the realm entirely, as
>> people with lots of cross-realm will almost certainly prefer that.
>>
>> (And while I'm commenting, has no one looked into logging in
>> svnserve since 2005? It's kinda a big thing to be missing, at
>> least among the paranoid.)
>
> Please see attached patch. It works against 1.6.0 and trunk r36738.
>
> --
> Alec Kloss alec@SetFilePointer.com IM: daemonalec@gmail.com
> PGP key at http://pgp.mit.edu:11371/pks/lookup?
> op=get&search=0xA241980E
> "No Bunny!" -- Simon, http://wiki.adultswim.com/xwiki/bin/Frisky+Dingo/Simon
> <sasl-patch.txt>
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=462&dsMessageId=1605348
Re: bump [Patch] Subversion 1.5 SASL doesn't work correctly with
Kerberos cross-realm authentication
Posted by Alec Kloss <al...@SetFilePointer.com>.
On 2009-03-21 07:07, Alec Kloss wrote:
>
> Please see attached patch. It works against 1.6.0 and trunk r36738.
>
Does anyone have any comments about this cross-realm patch? All I
hear are crickets...
--
Alec Kloss alec@SetFilePointer.com IM: daemonalec@gmail.com
PGP key at http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xA241980E
"No Bunny!" -- Simon, http://wiki.adultswim.com/xwiki/bin/Frisky+Dingo/Simon