latchset / kdcproxy Goto Github PK

There is a typo around line 194 of kdcproxy/init.py:

logging.warning("Conection broken while writing (%s)", e)

In init.py, call uses socket.getaddrinfo with no specified socket type to get a list of socket addresses to try. Empirically on my system, this results in SOCK_DGRAM, SOCK_STREAM, and SOCK_RAW addresses. Nothing in the code appears to filter out the SOCK_RAW addresses; I think it should use only SOCK_STREAM or SOCK_DGRAM addresses as UDP and TCP are the only transports over which the Kerberos protocol is defined.

Hello,
is it possible to inspect the KRB ticket request and allow only configured ticket request? E.g.

• TGT and service tickets for only one principal or
• only for one service ...

Thanks in advance

The sending loop in call uses a timeout of 10 seconds for TCP socket addresses, before a successful connection. If a KDC completely fails to respond to packets, the code will wait ten seconds before trying UDP, and then two more seconds before trying another KDC.

In our Active Directory environment UDP is not used, infact the KDC answers with:

 Received error from KDC: -1765328332/Antwort für UDP zu groß, erneuter Versuch mit TCP

Therefore, all servers are set to: [libdefaults]/udp_preference_limit = 1.

kdcproxy.conf is:

[global]
configs = mit

and krb5 .conf on the server where the KDC Proxy is running:

[libdefaults]
    default_realm = AD001.SIEMENS.NET
    forwardable = true
    canonicalize = true
    dns_lookup_kdc = true
    dns_uri_lookup = false
    rdns = false
    udp_preference_limit = 1

[domain_realm]
...

webtest pulls in a lot of dependencies. For Fedora testing, make webtest optional and skip KDCProxyWSGITests tests when the package is not available.

See https://src.fedoraproject.org/rpms/python-kdcproxy/pull-request/3

kdcproxy has no test cases for AS-REQ with anon pkinit and pkinit. FreeIPA 4.5 will use anon PKINIT to establish a FAST channel for OTP.

Currently, the location of the kdcproxy.conf is hard-coded, which is making it harder to integrate into a reasonably well isolated test setup under pythonpaste.

The Kerberos libraries themselves will look at a configuration named by $KRB5_CONFIG, if it's set, in preference to the hard-coded default location. Something akin to this would probably work here, as I don't expect people to randomly be setting, say, KDCPROXY_CONFIG in the environment when launching a proper copy of httpd. An optional initialization parameter would work just as well for my use case, though.

When running kdcproxy in mod_wsgi, it is unclear from which
component error messages come from. For example:

mod_wsgi.c(): [client WARNING:root:Connection broken while writing (...)

https://koji.fedoraproject.org/koji/taskinfo?taskID=17158477

It was discovered that python-kdcproxy did not reject overly large POST requests in the recommend default configuration, allocating arbitrary amounts of memory, eventually triggering the OOM killer, leading to a denial of service.

Possible mitigation:

Add “LimitRequestBody 100000” to the stanza, like this:

<Location "/KdcProxy">
    Satisfy Any
    Order Deny,Allow
    Allow from all
    WSGIProcessGroup kdcproxy
    WSGIApplicationGroup kdcproxy
    LimitRequestBody 100000
</Location>

This has been assigned CVE-2015-5159. Red Hat flaw bug: https://bugzilla.redhat.com/show_bug.cgi?id=1245200

I don't have permission to upload 0.3.3 on PyPI. You can use https://pypi.python.org/pypi/twine to upload the kdcproxy-0.3.3.tar.gz and kdcproxy-0.3.3-py2.py3-none-any.whl files from https://github.com/latchset/kdcproxy/releases/tag/v0.3.3

As the title says, if the kdcproxy perform health check, then it can act as a HA/fault tolerance mechanism at application layer, which I think is what kerberos currently leak of (I think kerberos only has a replica mechanism, but leak of loadblance/HA capability)

https://github.com/latchset/kdcproxy/blob/master/README says I have to see two POST requests in the log of the HTTP server, but I see only one. Is the information with 2x POST still current?

The KDC proxy protocol document requires DER encoding of the ASN.1 values. codec.py imports encoder and decoder from pyasn1.codec.ber, so it may be encoding values in ways that aren't DER-compliant.

In

the property dns_fallback is used, but the krb5.conf reference doc does not even mention it: https://web.mit.edu/kerberos/krb5-1.17/doc/admin/conf_files/krb5_conf.html

I assume you trying to mimic:

https://github.com/krb5/krb5/blob/09c9b7d6f64767429e90ad11a529e6ffa9538043/src/lib/krb5/os/locate_kdc.c#L42-L63

It deserves at least a comment in the code.

Hello,

I'm trying to use kdcproxy installed via apt on Ubuntu 22.04.4 LTS to use with macOS and iOS endpoints using what Apple call the Kerberos SSO Extension

According to their documentation, KKDCP is supported and I can indeed get both macOS and iOS client trying to talk with kdcproxy, however on the kdcproxy side, it fail with an Invalid request length error and 400 code.

Here is a sample content body from an intercepted POST request from an iOS client:

3081f8a081e00481dd6a81da3081d7a103020105a20302010aa30e300c300aa10402020095a2020400a481ba3081b7a00703050050810000a131302fa003020101a12830261b2430613834336339372d353134312d343336662d626335662d623932363864643537643964a2131b1150523330382e4252415641532e54454348a3263024a003020102a11d301b1b066b72627467741b1150523330382e4252415641532e54454348a511180f32303234303332303036333531355aa611180f32303234303431383230333531355aa706020411cfde1aa80e300c020112020111020110020117a1131b1150523330382e4252415641532e54454348

This content however seems correctly decoded by http://ldh.org/asn1.html but I'm not expert in ASN.1.

Is there a config issue on my side? A bug on kdcproxy? Something else?

Hi folks,
I came across this package in my search to find a solution to my problem.
However Im having issues trying to get it to work.
my problem is that I have a client machine that cant see our domain controllers
so Im trying to set up kdcproxy on a machine that can see the controllers that can
be seen from the client machine.

Ive installed both from git and installing from the python-kdcproxy package on both ubuntu (16.04) and centos (7) machines.
Everything installs fine, apache has a config file for redirecting /kdcproxy to the python code, I get a response back from trying to connect to the server:

curl --cacert cert_file https://apache_server/kdcproxy
Method not allowed (GET).

Im not sure if that is the expected return though.
a kinit does different things then your example:

env KRB5_TRACE=/dev/stdout kinit user
[18780] 1526486985.326854: Getting initial credentials for user@domain
[18780] 1526486985.327033: Sending request (189 bytes) to domain
[18780] 1526486985.327066: Resolving hostname apache_server
[18780] 1526486985.327707: Terminating TCP connection to https ip:port
kinit: Cannot contact any KDC for realm 'domain' while getting initial credentials

(hostname/usernames/ip address/domains/etc have been changed to protect the guilty)

on the "apache_server" machine all kerberos related operations work fine, its /etc/krb5.conf file
is set up nicely.

on the machine trying to use the proxy the /etc/krb5.conf file is
...
[realms]
domain = {
http_anchors = FILE:cert_file
kdc = https://apache_server:port/kdcproxy
kpasswd_server = https://apache_server:port/kdcproxy
}

But any attempts on the client machine to ssh into it using krb5 passwords fail.

I can see incoming traffic on apache_server:port from the client machine request but there is never
any traffic outbound to the domain controllers.

there are no error messages nor any messages of any kind in the /var/log/httpd/* files
when an ssh attempt is made on the client.
Startup messages from httpd are there and look fine.

oh and the /etc/kdcproxy file on the apache_server machine has gone through various
forms none of which are any better then any other. but its was things like:
[global]
configs = mit
[domain]
kerberos = kerberos://domaincontroller
kerberos = kerberos+tcp://domaincontroller
similarly with kpasswd, with and without ports (88/464)

Im at a loss as to why I cant get things to work.
Thoughts?

thanks.

steve

libkrb5 does it on its own normally and is influenced by locator plugins. kdcproxy should just follow suite.

PyCA cryptography 1.8 has dropped pyasn1 and uses asn1crypto. The decision was made because the library is faster. We should consider to either replace our ASN.1 parsing with asn1crypto or support both libraries. This would allow us to drop dependency on pyasn1 and pyasn1_modules in FreeIPA stack.

• https://github.com/wbond/asn1crypto
• https://pagure.io/freeipa/issue/7082
• https://cryptography.readthedocs.io/en/latest/changelog/#id7

On two occasions I wrote retval instead of restype. The problem is harmless (NULL return), but still wrong.