[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Disable GSSAPI confidentiality

To: Jeremiah Martell <inlovewithgod@gmail.com>
Subject: Re: Disable GSSAPI confidentiality
From: Philip Guenther <guenther+ldapsoft@sendmail.com>
Date: Fri, 12 Dec 2008 10:51:27 -0800
Cc: Dan White <dwhite@olp.net>, OpenLDAP Software List <OpenLDAP-software@openldap.org>
In-reply-to: <49429B4B.8020300@olp.net>
References: <233eb300812120818l6178f508l5ef853211e4b5e61@mail.gmail.com> <49429B4B.8020300@olp.net>
User-agent: Alpine 1.10 (BSO 962 2008-03-14)

On Fri, 12 Dec 2008, Dan White wrote:
> Jeremiah Martell wrote:
> > Is there a way, when calling "ldap_sasl_interactive_bind_s", to tell
> > it that when it does LDAP+GSSAPI authentication, only use GSSAPI for
> > authentication, and not confidentiality?
> >
> > In other words, just use GSSAPI to encrypt the authentication part,
> > but not all subsequent searches, etc.
>
> You can use SASL security properties to accomplish that.
...
> dwhite@zek:~$ ldapwhoami -Y GSSAPI -h ldap.example.net -O maxssf=0
> SASL/GSSAPI authentication started
> SASL username: dwhite@EXAMPLE.NET
> SASL SSF: 0
> dn:uid=dwhite@example.net,ou=people,dc=example,dc=net

Hmm, how about integrity checking?  If you want/need to protect your 
connection from substitution attacks or TCP hijacking then you should 
specify a maxssf of one.  The GSSAPI layer would then still carry a crypto 
hash of the data without encrypting it.


Philip Guenther

Follow-Ups:
- Re: Disable GSSAPI confidentiality
  - From: "Jeremiah Martell" <inlovewithgod@gmail.com>

References:
- Disable GSSAPI confidentiality
  - From: "Jeremiah Martell" <inlovewithgod@gmail.com>
- Re: Disable GSSAPI confidentiality
  - From: Dan White <dwhite@olp.net>

Prev by Date: Re: Disable GSSAPI confidentiality
Next by Date: Re: Disable GSSAPI confidentiality
Index(es):
- Chronological
- Thread