[jira] [Commented] (ZOOKEEPER-4753) Explicit handling of DIGEST-MD5 vs GSSAPI in quorum auth
[
https://issues.apache.org/jira/browse/ZOOKEEPER-4753?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17779790#comment-17779790
]
Damien Diederen commented on ZOOKEEPER-4753:
Hi [~xiaotong.wang],
{quote}we need verify the server host when we use SASL/Kerberos
{quote}
Yes.
(I also have additional improvements queued regarding this topic, but the
changes you mention were in fact preliminary to fixing
[https://zookeeper.apache.org/security.html#CVE-2023-44981]. The other changes
were not included as not strictly part of the security fix.)
{quote}it's better to verify if current authentication is Kerberos or not, but
now we check it with isDigestAuthn and use
entry.getLoginModuleName().equals(DigestLoginModule.class.getName())
{quote}
Yes; this is unfortunate. Would you know of a better method to detect the SASL
mechanism in use? What we really want here is to conditionalize on
{{DIGEST-MD5}} or {{{}GSSAPI{}}}.
{quote}we rewrite DigestLoginModule to make sure user paasword are storage with
encrypted our new DigestLoginModule required user{~}hd{~}=encode("testpwd")
it will incompatible when we upgrade
{quote}
Indeed. (I was afraid I would hear about something like that… and there we are
:) Is your custom digest module a subclass of the ZooKeeper one, or an
unrelated object?
{quote}Is there a better way to fix this issue
{quote}
As mentioned above: I would love it if we could just look up whether
{{DIGEST-MD5}} or {{GSSAPI}} is in use. Ideas welcome!
In any case, I will keep your case into account when submitting the updated
patch—worst case, you will have to explicitly disable the principal check.
In the meantime, you are not affected by CVE-2023-44981 if using DIGEST-MD5.
HTH, -D
> Explicit handling of DIGEST-MD5 vs GSSAPI in quorum auth
>
>
> Key: ZOOKEEPER-4753
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4753
> Project: ZooKeeper
> Issue Type: Improvement
> Components: server
>Affects Versions: 3.9.0
>Reporter: Damien Diederen
>Assignee: Damien Diederen
>Priority: Major
> Fix For: 3.7.2, 3.8.3, 3.9.1
>
>
> The SASL-based quorum authorizer does not explicitly distinguish between the
> DIGEST-MD5 and GSSAPI mechanisms: it is simply relying on {{NameCallback}}
> and {{PasswordCallback}} for authentication with the former and examining
> Kerberos principals in {{AuthorizeCallback}} for the latter.
> It turns out that some SASL/DIGEST-MD5 configurations cause authentication
> and authorization IDs not to match the expected format, and the
> DIGEST-MD5-based portions of the quorum test suite to fail with obscure
> errors. (They can be traced to failures to join the quorum, but only by
> looking into detailed logs.)
> We can use the login module name to determine whether DIGEST-MD5 or GSSAPI is
> used, and relax the authentication ID check for the former. As a cleanup, we
> can keep the password-based credential map empty when Kerberos principals are
> expected. Finally, we can adapt tests to ensure "weirdly-shaped" credentials
> only cause authentication failures in the GSSAPI case.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (ZOOKEEPER-4753) Explicit handling of DIGEST-MD5 vs GSSAPI in quorum auth
[
https://issues.apache.org/jira/browse/ZOOKEEPER-4753?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17779049#comment-17779049
]
xiaotong.wang commented on ZOOKEEPER-4753:
--
[~ztzg] we need verify the server host when we use SASL/Kerberos,it's better
to verify if current authentication is Kerberos or not , but now we check it
with isDigestAuthn and use
entry.getLoginModuleName().equals(DigestLoginModule.class.getName())
we rewrite DigestLoginModule to make sure user paasword are storage with
encrypted
our new DigestLoginModule required
user_hd=encode("testpwd")
it will incompatible when we upgrade
Is there a better way to fix this issue
> Explicit handling of DIGEST-MD5 vs GSSAPI in quorum auth
>
>
> Key: ZOOKEEPER-4753
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4753
> Project: ZooKeeper
> Issue Type: Improvement
> Components: server
>Affects Versions: 3.9.0
>Reporter: Damien Diederen
>Assignee: Damien Diederen
>Priority: Major
> Fix For: 3.7.2, 3.8.3, 3.9.1
>
>
> The SASL-based quorum authorizer does not explicitly distinguish between the
> DIGEST-MD5 and GSSAPI mechanisms: it is simply relying on {{NameCallback}}
> and {{PasswordCallback}} for authentication with the former and examining
> Kerberos principals in {{AuthorizeCallback}} for the latter.
> It turns out that some SASL/DIGEST-MD5 configurations cause authentication
> and authorization IDs not to match the expected format, and the
> DIGEST-MD5-based portions of the quorum test suite to fail with obscure
> errors. (They can be traced to failures to join the quorum, but only by
> looking into detailed logs.)
> We can use the login module name to determine whether DIGEST-MD5 or GSSAPI is
> used, and relax the authentication ID check for the former. As a cleanup, we
> can keep the password-based credential map empty when Kerberos principals are
> expected. Finally, we can adapt tests to ensure "weirdly-shaped" credentials
> only cause authentication failures in the GSSAPI case.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (ZOOKEEPER-4753) Explicit handling of DIGEST-MD5 vs GSSAPI in quorum auth
[
https://issues.apache.org/jira/browse/ZOOKEEPER-4753?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17774848#comment-17774848
]
Luke Chen commented on ZOOKEEPER-4753:
--
I see. Thanks.
> Explicit handling of DIGEST-MD5 vs GSSAPI in quorum auth
>
>
> Key: ZOOKEEPER-4753
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4753
> Project: ZooKeeper
> Issue Type: Improvement
> Components: server
>Affects Versions: 3.9.0
>Reporter: Damien Diederen
>Assignee: Damien Diederen
>Priority: Major
> Fix For: 3.7.2, 3.8.3, 3.9.1
>
>
> The SASL-based quorum authorizer does not explicitly distinguish between the
> DIGEST-MD5 and GSSAPI mechanisms: it is simply relying on {{NameCallback}}
> and {{PasswordCallback}} for authentication with the former and examining
> Kerberos principals in {{AuthorizeCallback}} for the latter.
> It turns out that some SASL/DIGEST-MD5 configurations cause authentication
> and authorization IDs not to match the expected format, and the
> DIGEST-MD5-based portions of the quorum test suite to fail with obscure
> errors. (They can be traced to failures to join the quorum, but only by
> looking into detailed logs.)
> We can use the login module name to determine whether DIGEST-MD5 or GSSAPI is
> used, and relax the authentication ID check for the former. As a cleanup, we
> can keep the password-based credential map empty when Kerberos principals are
> expected. Finally, we can adapt tests to ensure "weirdly-shaped" credentials
> only cause authentication failures in the GSSAPI case.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (ZOOKEEPER-4753) Explicit handling of DIGEST-MD5 vs GSSAPI in quorum auth
[
https://issues.apache.org/jira/browse/ZOOKEEPER-4753?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17774847#comment-17774847
]
Andor Molnar commented on ZOOKEEPER-4753:
-
[~showuon] Yes it is.
> Explicit handling of DIGEST-MD5 vs GSSAPI in quorum auth
>
>
> Key: ZOOKEEPER-4753
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4753
> Project: ZooKeeper
> Issue Type: Improvement
> Components: server
>Affects Versions: 3.9.0
>Reporter: Damien Diederen
>Assignee: Damien Diederen
>Priority: Major
> Fix For: 3.7.2, 3.8.3, 3.9.1
>
>
> The SASL-based quorum authorizer does not explicitly distinguish between the
> DIGEST-MD5 and GSSAPI mechanisms: it is simply relying on {{NameCallback}}
> and {{PasswordCallback}} for authentication with the former and examining
> Kerberos principals in {{AuthorizeCallback}} for the latter.
> It turns out that some SASL/DIGEST-MD5 configurations cause authentication
> and authorization IDs not to match the expected format, and the
> DIGEST-MD5-based portions of the quorum test suite to fail with obscure
> errors. (They can be traced to failures to join the quorum, but only by
> looking into detailed logs.)
> We can use the login module name to determine whether DIGEST-MD5 or GSSAPI is
> used, and relax the authentication ID check for the former. As a cleanup, we
> can keep the password-based credential map empty when Kerberos principals are
> expected. Finally, we can adapt tests to ensure "weirdly-shaped" credentials
> only cause authentication failures in the GSSAPI case.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (ZOOKEEPER-4753) Explicit handling of DIGEST-MD5 vs GSSAPI in quorum auth
[
https://issues.apache.org/jira/browse/ZOOKEEPER-4753?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17774369#comment-17774369
]
Luke Chen commented on ZOOKEEPER-4753:
--
[~ztzg], is this the CVE-2023-44981 issue?
> Explicit handling of DIGEST-MD5 vs GSSAPI in quorum auth
>
>
> Key: ZOOKEEPER-4753
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4753
> Project: ZooKeeper
> Issue Type: Improvement
> Components: server
>Affects Versions: 3.9.0
>Reporter: Damien Diederen
>Assignee: Damien Diederen
>Priority: Major
> Fix For: 3.7.2, 3.8.3, 3.9.1
>
>
> The SASL-based quorum authorizer does not explicitly distinguish between the
> DIGEST-MD5 and GSSAPI mechanisms: it is simply relying on {{NameCallback}}
> and {{PasswordCallback}} for authentication with the former and examining
> Kerberos principals in {{AuthorizeCallback}} for the latter.
> It turns out that some SASL/DIGEST-MD5 configurations cause authentication
> and authorization IDs not to match the expected format, and the
> DIGEST-MD5-based portions of the quorum test suite to fail with obscure
> errors. (They can be traced to failures to join the quorum, but only by
> looking into detailed logs.)
> We can use the login module name to determine whether DIGEST-MD5 or GSSAPI is
> used, and relax the authentication ID check for the former. As a cleanup, we
> can keep the password-based credential map empty when Kerberos principals are
> expected. Finally, we can adapt tests to ensure "weirdly-shaped" credentials
> only cause authentication failures in the GSSAPI case.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
