[OpenAFS-devel] Aklog/krb5 mappings

Jeffrey Hutzelman jhutz@cmu.edu
Wed, 06 Jul 2005 16:43:42 -0400


On Tuesday, July 05, 2005 07:32:19 PM -0500 Troy Benjegerdes 
<hozer@hozed.org> wrote:

> On Tue, Jul 05, 2005 at 10:38:38AM -0400, Ken Hornstein wrote:
>> > This doesn't fix the problem.  This opens the security hole for aklog
>> > with krb5 tickets as well.  The problem is that there is no way to
>> > distiguish between two krb5 principals;
>> >
>> >	user.admin@REALM
>> >	user/admin@REALM
>> >
>> > Two identities in Kerberos should not be treated as the same identity
>> > in AFS.
>>
>> This code here is ONLY for aklog's client-side PTS lookup, which really
>> exists for two reasons:
>>
>> - Historical (this is the "ID xxxx" output in tokens), which apparantly
>> is only used by some components of the Andrew Mail System.
>> - Determining if the cross-realm PTS entry needs to be created.
>>
>> It doesn't affect the contents of the Kerberos ticket, which is the only
>> thing that matters in terms of security.  There is no security hole in
>> aklog (let me rephrase that: _this_ is not a security hole in aklog).
>>
>> And didn't we already have this discussion six months ago?  The reality
>> is that the Kerberos 524 daemon has been happily mapping V5 principals
>> with a "." in them SINCE DAY ONE, and OpenAFS is the one that
>> arbitrarily rejects V5 principals with a "." in them.
>
> So before the 1.4 release, why don't we correct this ambiguity (which
> seems to confuse a lot of people), and use a (default disabled) option
> to allow the old mapping behavior. Looking back at some old messages,
> would I be correct in saying, the only place we do these mappings is
> in aklog, fileserver, and ptserver? In regards to the mapping in aklog,
> can we just ask the fileserver or ptserver.. that would reduce user
> confusion if aklog thought the site mapping policy was one way, and the
> servers used another.


AFS does not name users with principal names; it names them with usernames, 
which are single strings.  The UserList file and the ptserver protocol both 
use usernames on the wire, not principal names (ACL's are actually 
represented using numeric viceID's, but these are represented as usernames 
on the wire for the purpose of the getacl/setacl operations).

Various things, including the fileserver, know how to construct an AFS 
username from a {name,inst,cell} tuple, which for the purpose of this 
discussion can be treated as equivalent to a V4 principal name.  They do 
_not_ know anything about V5 principal names; the conversion from a V5 
principal name to a {name,inst,cell} tuple is done in krb524d for 
traditional V4 tokens, and in rxkad for V5 and 2B tokens.

The set of valid V5 principal names is considerably larger than the set of 
valid V4 names -- V5 permits more than 2 components, more than 40 
characters per component, and allows characters not permitted in V4.  This 
means that it is impossible to map every valid V5 principal name to a 
unique, valid V4 principal name (and thus to a unique, valid AFS username). 
So, we must make a choice -- we can either map multiple V5 principals to 
the same V4 principal, or permit only a subset of V5 principal names to be 
mapped to V4 names.

Since mapping multiple distinct V5 principals to the same V4 principal 
could result in all sorts of nasty security problems, the approach taken by 
both krb524d and rxkad is to restrict the set of V5 principal names that 
can be mapped to V4 names.  Particularly, mapping fails for the following 
cases:
- Principals with 0 components
- Principals with more than 2 components
- Principals in which any component is longer than 40 characters
- Principals in which the realm is longer than 40 characters

For AFS, the problem is made somewhat worse by the fact that we construct 
usernames by concatenating the V4 name and instance with a dot, but only 
when the instance has non-zero length.  This behavior depends on the 
premise that a V4 principal name will never contain a ".".  While krb524d 
is broken and does not enforce this restriction, the V5 ticket handling 
code in rxkad does.  The reasoning is the same as above -- mapping multiple 
distinct V5 principals to the same AFS username could result in all sort of 
nasty security problems.



Changing the mapping behavior to do something more complex depending on the 
authentication mechanism used is on the roadmap, but will require some 
design work, changes to the ptserver protocol, and probably 
backward-incompatible changes to the PRDB.  Even doing something as simple 
as mapping multi-component V5 principal names to strings containing "/" 
would require a change to the rxkad API and all the places that call it. 
That's not something that I want to do more than once, and it's certainly 
not something that's appropriate to do this late in the release cycle.


Having the default mapping behavior for existing names change as a result 
of a software upgrade to 1.4 would violate the principal of least surprise. 
A subtle change like allowing multiple principal names to map to the same 
username where previously they did not would be particularly bad, since 
such a change has security implications that might not be noticed for some 
time.

I would have no problem if, as a result of the upcoming naming overhaul, we 
started mapping V5 principals to usernames containing slashes.  I would 
have no problem with allowing principals with "." in the first component to 
be mapped as a result of an explicit mapping or of a configured 
name-mapping pattern (both features I hope to see).  And I would have no 
problem with a configuration option or even compile-time option which 
enabled mapping these names by default.

However, it is unacceptable for a software upgrade with no configuration 
change to result in users unexpectedly gaining privileges or access rights 
which they did not previously have.




Finally, I'm getting a little tired of hearing "well, let's just do XXX 
right before 1.4".  We are very close to a 1.4 release.  This late in the 
release cycle, it is appropriate to fix bugs but not to add features or 
make behavioral changes.  This is particularly important for this version, 
which will be the first "stable" version to include support for several 
significant platforms.  At this point, new features, behavior changes, and 
"improvements" should wait for the next development cycle.

-- Jeff