[AFS3-std] rxgk/rxgk-afs updates

[Benjamin Kaduk]

On Wed, 6 Mar 2013, Benjamin Kaduk wrote:

>> On Tue, 5 Mar 2013, Simon Wilkinson wrote:
>> 
>>> 
>>>> commit db73249fa194cb05dccd2de9a8e97794592e9cc5
>>>>    Talk about acceptor principal names for GSSNegotiate
>>> 
>>> I'm happy with the client side language, but...
>>> 
>>> +       The server's configuration as a GSS acceptor SHOULD NOT specify
>>> +       a principal name for acceptor credentials, allowing the use of any
>>> +       available credentials for the negotiation service.</t>
>>> 
>>> I strongly disagree here. The server should specify the identity which it 
>>> is accepting. There have been numerous cross-service attacks in the past 
>>> where flaws in service A can be used to compromise service B because they 
>>> are both prepared to accept the same keys (not least, the original GSS ssh 
>>> work). I would rather that we didn't end up being service A or service B - 
>>> so I think the SHOULD NOT here is entirely inappropriate.
>> 
>> This text was based on a conversation with jhutz to the effect that 
>> "servers should be liberal in what they accept", but I am not tightly 
>> wedded to it. If the client needs application-specific knowledge to choose 
>> a target principal name, then requiring that same application-specific 
>> knowledge in the server hardly seems an overbearing burden.
>> 
>> Do you want to just remove the text entirely, or change it to a SHOULD 
>> specify the name, or something else?
>
> Still awaiting input here.

We also should specify a name type to be used when importing the principal 
name afs-rxgk@_afs.<cellname>, presumably GSS_C_NT_HOSTBASED_SERVICE.

-Ben