Skip to content

support authentication indicators in GSSAPI #500

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
abbra wants to merge 2 commits into
base: master
Choose a base branch
from
Open

support authentication indicators in GSSAPI #500

abbra wants to merge 2 commits into from
+242 −11

Conversation

@abbra
Copy link

@abbra abbra commented Jun 12, 2024

RFC 6680 defines a set of GSSAPI extensions to handle attributes associated with the GSSAPI names. MIT Kerberos and FreeIPA use name attributes to add information about pre-authentication methods used to acquire the initial Kerberos ticket. The attribute 'auth-indicators' may contain list of strings that KDC has associated with the ticket issuance process.

Use authentication indicators to authorise or deny access to SSH server. GSSAPIIndicators setting allows to specify a list of possible indicators that a Kerberos ticket presented must or must not contain. More details on the syntax are provided in sshd_config(5) man page.

Fixes: https://bugzilla.mindrot.org/show_bug.cgi?id=2696

@abbra
Copy link
Author

abbra commented Jun 12, 2024

All failures seem to be about penalty.sh dependency of a t-exec which is unrelated to the PR changes, it seems.

djmdjm
djmdjm reviewed Jun 14, 2024
View reviewed changes
@djmdjm
Copy link
Contributor

djmdjm commented Jun 14, 2024

This looks pretty reasonable but I don't think any of the active developers have the GSSAPI knowledge to review the GSSAPI bits of this change. We'll have to find someone with more experience to look at it.

@abbra abbra force-pushed the gssapi-indicators branch from 8c97ea0 to 74cb7dd Compare June 14, 2024 02:58
@abbra
Copy link
Author

abbra commented Jun 14, 2024

@djmdjm I am one of FreeIPA, SSSD, and Samba developers and contribute to MIT Kerberos as well. This code is based on my indicators work for SSSD's pam_sss_gss which we have in production since 2021.

If you want more external eyes, I can ask my fellow Red Hat colleagues who maintain OpenSSH and wrote GSSAPI code in past too.

@cryptomilk
Copy link

cryptomilk commented Jun 14, 2024

I'm working on libssh, MIT Kerberos and Samba. I can review the GSSAPI bits.

cryptomilk
cryptomilk reviewed Jun 14, 2024
View reviewed changes
@abbra abbra force-pushed the gssapi-indicators branch from 74cb7dd to 6331812 Compare June 14, 2024 09:51
@cryptomilk
Copy link

cryptomilk commented Jun 14, 2024

Patch looks good to me.

beldmit
beldmit suggested changes Jun 27, 2024
View reviewed changes
Copy link

@beldmit beldmit left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall impression is fine, one place to change

@abbra abbra force-pushed the gssapi-indicators branch from 6331812 to 8bb5003 Compare June 27, 2024 18:51
Jakuje
Jakuje reviewed Jul 1, 2024
View reviewed changes
Copy link
Contributor

@Jakuje Jakuje left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@abbra added one comment inline with one more potential issue.

We are now working with a GSoC student to implement test coverage for libssh and GSSAPI authentication in https://gitlab.com/libssh/libssh-mirror/-/merge_requests/490
I think it would be great if something similar could be in OpenSSH upstream testsuite, which could land a test for this functionality. Let me know if you would find it useful. If so, we can try to help contribute something similar.

@abbra abbra force-pushed the gssapi-indicators branch from 8bb5003 to 06b860c Compare July 2, 2024 08:19
@abbra
Copy link
Author

abbra commented Jul 2, 2024

I updated the code to follow recent discussions. Let me know whether this is all fine for merge.

I have recorded a demo here: https://www.youtube.com/watch?v=OauHdZYKGKk. This demo shows the use of GSSAPIIndicators option in a Match block to constrain two users (unenforced-user and enforced-user) to authenticate with GSSAPI when their initial Kerberos tickets were obtained in a particular way. In this demo we just deny any ticket that was not obtained with OTP or a smartcard-based pre-authentication mechanism. Since FreeIPA associated a hardened indicator with SPAKE pre-authentication method (used for password-based auth), we also reject hardened indicator.

In the demo, first we attempt to access as unenforced-user, with a ticket that contains hardened indicator. Then we access as enforced-user, with a ticket that contains otp indicator. In the first case we fail and system logs show that clearly. In the second case we succeed. Again, logs demonstrate that a particular indicator was inspected and accepted.

@abbra abbra force-pushed the gssapi-indicators branch from 06b860c to cc9109d Compare July 17, 2024 03:57
@abbra
Copy link
Author

abbra commented Aug 7, 2024

I have been on vacation for past few weeks so may be I missed something...
@djmdjm Is there anything else preventing a further review and inclusion of the GSSAPI authentication indicators work?

@beldmit
Copy link

beldmit commented Aug 14, 2024

This code looks good to me after the changes I've requested are done and we are interested in having it upstream.
@djmdjm could you please look at it if time permits?

@abbra abbra force-pushed the gssapi-indicators branch from cc9109d to 7a0bab8 Compare September 9, 2024 07:26
@abbra abbra force-pushed the gssapi-indicators branch from 7a0bab8 to b4e9e3b Compare May 14, 2025 13:20
@abbra abbra force-pushed the gssapi-indicators branch from b4e9e3b to e4e2aa7 Compare September 5, 2025 10:47
@beldmit
Copy link

beldmit commented Sep 7, 2025

@abbra is it just a rebase or also changes?

@abbra
Copy link
Author

abbra commented Sep 7, 2025
edited
Loading

Just a rebase to clear a small conflict with the renamed option.

@abbra abbra force-pushed the gssapi-indicators branch from e4e2aa7 to e85372a Compare October 8, 2025 10:01
@abbra
Copy link
Author

abbra commented Oct 8, 2025

@bob-beck suggested to add a CI test. I'll look at this.

djmdjm
djmdjm reviewed Nov 25, 2025
View reviewed changes
gss-serv-krb5.c Outdated
krb5_free_error_message(krb_context, errmsg);
return 0;
}
if (krb5_kuserok(krb_context, princ, name)) {
Copy link
Contributor

@djmdjm djmdjm Nov 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IMO this function would be clearer if it shortcircuits when preconditions fail, i.e.

	if (!krb5_kuserok(krb_context, princ, name))
		goto out;
	if (options.gss_indicators == NULL)  {
		retval = 1;
		goto out;
	}
	if (!client->indicators) {
		logit("GSSAPI authentication indicators enforced "
			"but not matched. krb5 principal %s denied",
		(char *)client->displayname.value);
		goto out;
	}
...
 out:
	if (retval == 1)  {
		logit("Authorized to %s, krb5 principal %s (%s)",
		    name, (char *)client->displayname.value, errmsg);
	}
	krb5_free_principal(krb_context, princ);
	return retval;

Copy link
Author

@abbra abbra Nov 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, it makes sense. I rewrote the logic to reduce if-conditions.

@abbra abbra force-pushed the gssapi-indicators branch 2 times, most recently from 815ce02 to 0fa9399 Compare November 26, 2025 10:27
@abbra abbra force-pushed the gssapi-indicators branch from 0fa9399 to 3e44137 Compare December 9, 2025 08:53
djmdjm
djmdjm requested changes Dec 10, 2025
View reviewed changes
@abbra
Fix return from void function
1473557 
Signed-off-by: Alexander Bokovoy <[email protected]>
@abbra
support authentication indicators in GSSAPI
900a1af 
RFC 6680 defines a set of GSSAPI extensions to handle attributes
associated with the GSSAPI names. MIT Kerberos and FreeIPA use name
attributes to add information about pre-authentication methods used to
acquire the initial Kerberos ticket. The attribute 'auth-indicators' may
contain list of strings that KDC has associated with the ticket issuance
process.

Use authentication indicators to authorise or deny access to SSH server.
GSSAPIIndicators setting allows to specify a list of possible indicators
that a Kerberos ticket presented must or must not contain. More details
on the syntax are provided in sshd_config(5) man page.

Fixes: https://bugzilla.mindrot.org/show_bug.cgi?id=2696

Signed-off-by: Alexander Bokovoy <[email protected]>
@abbra abbra force-pushed the gssapi-indicators branch from 3e44137 to 900a1af Compare December 11, 2025 08:24
@abbra
Copy link
Author

abbra commented Dec 11, 2025

@djmdjm thanks for the comments. I addressed them.

We still need to add a test but it is a wider effort as you pointed out in https://lists.mindrot.org/pipermail/openssh-unix-dev/2025-December/042303.html. We have a lot of tests downstream in Fedora/RHEL and plan to adopt them to upstream CI.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@djmdjm djmdjm djmdjm requested changes

+3 more reviewers

@cryptomilk cryptomilk cryptomilk left review comments

@Jakuje Jakuje Jakuje left review comments

@beldmit beldmit beldmit requested changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@abbra @djmdjm @cryptomilk @beldmit @Jakuje