On 07/12/2013 05:36 PM, Erinn Looney-Triggs wrote: > On 07/12/2013 05:03 PM, Dmitri Pal wrote: >> On 07/12/2013 11:33 AM, Erinn Looney-Triggs wrote: >>> GSSAPI inside of a TLS channel apparently isn't secure unless the >>> channel is secure and verified. The irony being that GSSAPI auth outside >>> of a TLS connection is just fine for postfix. >> Is this really the case? I am under the impression that Kerberos is >> secure enough outside of the TLS tunnel and this is would be just a >> precaution rather than a security measure. >> > I'll be honest, I doubt I am smart enough/ have enough time to figure > all this out. However, this is via a user on the Postfix mailing list: > > "GSSAPI inside TLS currently does not perform channel binding, and > so your session can be hijacked, after the client authenticates > with GSSAPI. You can use "fingerprint" security if your server > certificate is not signed by a usable CA." > > I asked for some more details and got this back: > > https://tools.ietf.org/html/rfc5056 > > It sounds to me like this is Postfix specific. But again I don't know > all of the nuances of this, and security on this level can be very nuanced. > > Now whether this fellow who gave this information to me is the designer > of TLS in Postfix or just some other poor schlub like myself I can't > say. But it certainly appears like it could be a problem. > > -Erinn
OK, makes sense. Thanks for clarifying. > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users