On 07/12/2013 05:03 PM, Dmitri Pal wrote:
> On 07/12/2013 11:33 AM, Erinn Looney-Triggs wrote:
>> GSSAPI inside of a TLS channel apparently isn't secure unless the
>> channel is secure and verified. The irony being that GSSAPI auth outside
>> of a TLS connection is just fine for postfix.
> 
> Is this really the case? I am under the impression that Kerberos is
> secure enough outside of the TLS tunnel and this is would be just a
> precaution rather than a security measure.
> 

I'll be honest, I doubt I am smart enough/ have enough time to figure
all this out. However, this is via a user on the Postfix mailing list:

"GSSAPI inside TLS currently does not perform channel binding, and
so your session can be hijacked, after the client authenticates
with GSSAPI.  You can use "fingerprint" security if your server
certificate is not signed by a usable CA."

I asked for some more details and got this back:

https://tools.ietf.org/html/rfc5056

It sounds to me like this is Postfix specific. But again I don't know
all of the nuances of this, and security on this level can be very nuanced.

Now whether this fellow who gave this information to me is the designer
of TLS in Postfix or just some other poor schlub like myself I can't
say. But it certainly appears like it could be a problem.

-Erinn


Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to