[Freeipa-users] Is GSSAPI secure without TLS?

[Dmitri Pal]

On 07/12/2013 05:36 PM, Erinn Looney-Triggs wrote:
> On 07/12/2013 05:03 PM, Dmitri Pal wrote:
>> On 07/12/2013 11:33 AM, Erinn Looney-Triggs wrote:
>>> GSSAPI inside of a TLS channel apparently isn't secure unless the
>>> channel is secure and verified. The irony being that GSSAPI auth outside
>>> of a TLS connection is just fine for postfix.
>> Is this really the case? I am under the impression that Kerberos is
>> secure enough outside of the TLS tunnel and this is would be just a
>> precaution rather than a security measure.
>>
> I'll be honest, I doubt I am smart enough/ have enough time to figure
> all this out. However, this is via a user on the Postfix mailing list:
>
> "GSSAPI inside TLS currently does not perform channel binding, and
> so your session can be hijacked, after the client authenticates
> with GSSAPI.  You can use "fingerprint" security if your server
> certificate is not signed by a usable CA."
>
> I asked for some more details and got this back:
>
> https://tools.ietf.org/html/rfc5056
>
> It sounds to me like this is Postfix specific. But again I don't know
> all of the nuances of this, and security on this level can be very nuanced.
>
> Now whether this fellow who gave this information to me is the designer
> of TLS in Postfix or just some other poor schlub like myself I can't
> say. But it certainly appears like it could be a problem.
>
> -Erinn

OK, makes sense. Thanks for clarifying.

>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130712/d39df8a9/attachment.htm>