On 07/12/2013 05:36 PM, Erinn Looney-Triggs wrote:
> On 07/12/2013 05:03 PM, Dmitri Pal wrote:
>> On 07/12/2013 11:33 AM, Erinn Looney-Triggs wrote:
>>> GSSAPI inside of a TLS channel apparently isn't secure unless the
>>> channel is secure and verified. The irony being that GSSAPI auth outside
>>> of a TLS connection is just fine for postfix.
>> Is this really the case? I am under the impression that Kerberos is
>> secure enough outside of the TLS tunnel and this is would be just a
>> precaution rather than a security measure.
> I'll be honest, I doubt I am smart enough/ have enough time to figure
> all this out. However, this is via a user on the Postfix mailing list:
> "GSSAPI inside TLS currently does not perform channel binding, and
> so your session can be hijacked, after the client authenticates
> with GSSAPI. You can use "fingerprint" security if your server
> certificate is not signed by a usable CA."
> I asked for some more details and got this back:
> It sounds to me like this is Postfix specific. But again I don't know
> all of the nuances of this, and security on this level can be very nuanced.
> Now whether this fellow who gave this information to me is the designer
> of TLS in Postfix or just some other poor schlub like myself I can't
> say. But it certainly appears like it could be a problem.
OK, makes sense. Thanks for clarifying.
> Freeipa-users mailing list
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
Looking to carve out IT costs?
Freeipa-users mailing list