[jira] [Commented] (ZOOKEEPER-4753) Explicit handling of DIGEST-MD5 vs GSSAPI in quorum auth
[ https://issues.apache.org/jira/browse/ZOOKEEPER-4753?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17779790#comment-17779790 ] Damien Diederen commented on ZOOKEEPER-4753: Hi [~xiaotong.wang], {quote}we need verify the server host when we use SASL/Kerberos {quote} Yes. (I also have additional improvements queued regarding this topic, but the changes you mention were in fact preliminary to fixing [https://zookeeper.apache.org/security.html#CVE-2023-44981]. The other changes were not included as not strictly part of the security fix.) {quote}it's better to verify if current authentication is Kerberos or not, but now we check it with isDigestAuthn and use entry.getLoginModuleName().equals(DigestLoginModule.class.getName()) {quote} Yes; this is unfortunate. Would you know of a better method to detect the SASL mechanism in use? What we really want here is to conditionalize on {{DIGEST-MD5}} or {{{}GSSAPI{}}}. {quote}we rewrite DigestLoginModule to make sure user paasword are storage with encrypted our new DigestLoginModule required user{~}hd{~}=encode("testpwd") it will incompatible when we upgrade {quote} Indeed. (I was afraid I would hear about something like that… and there we are :) Is your custom digest module a subclass of the ZooKeeper one, or an unrelated object? {quote}Is there a better way to fix this issue {quote} As mentioned above: I would love it if we could just look up whether {{DIGEST-MD5}} or {{GSSAPI}} is in use. Ideas welcome! In any case, I will keep your case into account when submitting the updated patch—worst case, you will have to explicitly disable the principal check. In the meantime, you are not affected by CVE-2023-44981 if using DIGEST-MD5. HTH, -D > Explicit handling of DIGEST-MD5 vs GSSAPI in quorum auth > > > Key: ZOOKEEPER-4753 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4753 > Project: ZooKeeper > Issue Type: Improvement > Components: server >Affects Versions: 3.9.0 >Reporter: Damien Diederen >Assignee: Damien Diederen >Priority: Major > Fix For: 3.7.2, 3.8.3, 3.9.1 > > > The SASL-based quorum authorizer does not explicitly distinguish between the > DIGEST-MD5 and GSSAPI mechanisms: it is simply relying on {{NameCallback}} > and {{PasswordCallback}} for authentication with the former and examining > Kerberos principals in {{AuthorizeCallback}} for the latter. > It turns out that some SASL/DIGEST-MD5 configurations cause authentication > and authorization IDs not to match the expected format, and the > DIGEST-MD5-based portions of the quorum test suite to fail with obscure > errors. (They can be traced to failures to join the quorum, but only by > looking into detailed logs.) > We can use the login module name to determine whether DIGEST-MD5 or GSSAPI is > used, and relax the authentication ID check for the former. As a cleanup, we > can keep the password-based credential map empty when Kerberos principals are > expected. Finally, we can adapt tests to ensure "weirdly-shaped" credentials > only cause authentication failures in the GSSAPI case. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (ZOOKEEPER-4753) Explicit handling of DIGEST-MD5 vs GSSAPI in quorum auth
[ https://issues.apache.org/jira/browse/ZOOKEEPER-4753?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17779049#comment-17779049 ] xiaotong.wang commented on ZOOKEEPER-4753: -- [~ztzg] we need verify the server host when we use SASL/Kerberos,it's better to verify if current authentication is Kerberos or not , but now we check it with isDigestAuthn and use entry.getLoginModuleName().equals(DigestLoginModule.class.getName()) we rewrite DigestLoginModule to make sure user paasword are storage with encrypted our new DigestLoginModule required user_hd=encode("testpwd") it will incompatible when we upgrade Is there a better way to fix this issue > Explicit handling of DIGEST-MD5 vs GSSAPI in quorum auth > > > Key: ZOOKEEPER-4753 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4753 > Project: ZooKeeper > Issue Type: Improvement > Components: server >Affects Versions: 3.9.0 >Reporter: Damien Diederen >Assignee: Damien Diederen >Priority: Major > Fix For: 3.7.2, 3.8.3, 3.9.1 > > > The SASL-based quorum authorizer does not explicitly distinguish between the > DIGEST-MD5 and GSSAPI mechanisms: it is simply relying on {{NameCallback}} > and {{PasswordCallback}} for authentication with the former and examining > Kerberos principals in {{AuthorizeCallback}} for the latter. > It turns out that some SASL/DIGEST-MD5 configurations cause authentication > and authorization IDs not to match the expected format, and the > DIGEST-MD5-based portions of the quorum test suite to fail with obscure > errors. (They can be traced to failures to join the quorum, but only by > looking into detailed logs.) > We can use the login module name to determine whether DIGEST-MD5 or GSSAPI is > used, and relax the authentication ID check for the former. As a cleanup, we > can keep the password-based credential map empty when Kerberos principals are > expected. Finally, we can adapt tests to ensure "weirdly-shaped" credentials > only cause authentication failures in the GSSAPI case. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (ZOOKEEPER-4753) Explicit handling of DIGEST-MD5 vs GSSAPI in quorum auth
[ https://issues.apache.org/jira/browse/ZOOKEEPER-4753?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17774848#comment-17774848 ] Luke Chen commented on ZOOKEEPER-4753: -- I see. Thanks. > Explicit handling of DIGEST-MD5 vs GSSAPI in quorum auth > > > Key: ZOOKEEPER-4753 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4753 > Project: ZooKeeper > Issue Type: Improvement > Components: server >Affects Versions: 3.9.0 >Reporter: Damien Diederen >Assignee: Damien Diederen >Priority: Major > Fix For: 3.7.2, 3.8.3, 3.9.1 > > > The SASL-based quorum authorizer does not explicitly distinguish between the > DIGEST-MD5 and GSSAPI mechanisms: it is simply relying on {{NameCallback}} > and {{PasswordCallback}} for authentication with the former and examining > Kerberos principals in {{AuthorizeCallback}} for the latter. > It turns out that some SASL/DIGEST-MD5 configurations cause authentication > and authorization IDs not to match the expected format, and the > DIGEST-MD5-based portions of the quorum test suite to fail with obscure > errors. (They can be traced to failures to join the quorum, but only by > looking into detailed logs.) > We can use the login module name to determine whether DIGEST-MD5 or GSSAPI is > used, and relax the authentication ID check for the former. As a cleanup, we > can keep the password-based credential map empty when Kerberos principals are > expected. Finally, we can adapt tests to ensure "weirdly-shaped" credentials > only cause authentication failures in the GSSAPI case. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (ZOOKEEPER-4753) Explicit handling of DIGEST-MD5 vs GSSAPI in quorum auth
[ https://issues.apache.org/jira/browse/ZOOKEEPER-4753?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17774847#comment-17774847 ] Andor Molnar commented on ZOOKEEPER-4753: - [~showuon] Yes it is. > Explicit handling of DIGEST-MD5 vs GSSAPI in quorum auth > > > Key: ZOOKEEPER-4753 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4753 > Project: ZooKeeper > Issue Type: Improvement > Components: server >Affects Versions: 3.9.0 >Reporter: Damien Diederen >Assignee: Damien Diederen >Priority: Major > Fix For: 3.7.2, 3.8.3, 3.9.1 > > > The SASL-based quorum authorizer does not explicitly distinguish between the > DIGEST-MD5 and GSSAPI mechanisms: it is simply relying on {{NameCallback}} > and {{PasswordCallback}} for authentication with the former and examining > Kerberos principals in {{AuthorizeCallback}} for the latter. > It turns out that some SASL/DIGEST-MD5 configurations cause authentication > and authorization IDs not to match the expected format, and the > DIGEST-MD5-based portions of the quorum test suite to fail with obscure > errors. (They can be traced to failures to join the quorum, but only by > looking into detailed logs.) > We can use the login module name to determine whether DIGEST-MD5 or GSSAPI is > used, and relax the authentication ID check for the former. As a cleanup, we > can keep the password-based credential map empty when Kerberos principals are > expected. Finally, we can adapt tests to ensure "weirdly-shaped" credentials > only cause authentication failures in the GSSAPI case. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (ZOOKEEPER-4753) Explicit handling of DIGEST-MD5 vs GSSAPI in quorum auth
[ https://issues.apache.org/jira/browse/ZOOKEEPER-4753?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17774369#comment-17774369 ] Luke Chen commented on ZOOKEEPER-4753: -- [~ztzg], is this the CVE-2023-44981 issue? > Explicit handling of DIGEST-MD5 vs GSSAPI in quorum auth > > > Key: ZOOKEEPER-4753 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4753 > Project: ZooKeeper > Issue Type: Improvement > Components: server >Affects Versions: 3.9.0 >Reporter: Damien Diederen >Assignee: Damien Diederen >Priority: Major > Fix For: 3.7.2, 3.8.3, 3.9.1 > > > The SASL-based quorum authorizer does not explicitly distinguish between the > DIGEST-MD5 and GSSAPI mechanisms: it is simply relying on {{NameCallback}} > and {{PasswordCallback}} for authentication with the former and examining > Kerberos principals in {{AuthorizeCallback}} for the latter. > It turns out that some SASL/DIGEST-MD5 configurations cause authentication > and authorization IDs not to match the expected format, and the > DIGEST-MD5-based portions of the quorum test suite to fail with obscure > errors. (They can be traced to failures to join the quorum, but only by > looking into detailed logs.) > We can use the login module name to determine whether DIGEST-MD5 or GSSAPI is > used, and relax the authentication ID check for the former. As a cleanup, we > can keep the password-based credential map empty when Kerberos principals are > expected. Finally, we can adapt tests to ensure "weirdly-shaped" credentials > only cause authentication failures in the GSSAPI case. -- This message was sent by Atlassian Jira (v8.20.10#820010)