-
Notifications
You must be signed in to change notification settings - Fork 177
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
kdc: Reduce max UDP reply size default to 500 bytes and document better (fix #1216) #1218
base: master
Are you sure you want to change the base?
kdc: Reduce max UDP reply size default to 500 bytes and document better (fix #1216) #1218
Conversation
7d2c3b0
to
e92437e
Compare
Well, all these test failures... |
The |
The Of course we could and should fix the Heimdal client to handle |
The MIT Kerberos KDC sends always |
e92437e
to
feed2c0
Compare
The place where we handle the too-big error in |
I think the third paragraph of section 5.4.4 mentions it: “If the Kerberos FAST padata is included in the request but not included in the error reply, it is a matter of the local policy on the client to accept the information in the error message without integrity protection. However, the client SHOULD process the KDC errors as the result of the KDC's inability to accept the AP_REQ armor and potentially retry another request with a different armor when applicable. […]” |
I haven't looked closely at any of this but the prospect of a server returning any kind of fine-grained error information to an unauthenticated client, and of a client acting meaningfully on any unauthenticated error reports, is making my skin crawl. |
It's not ready for review. Kerberos relies on some "fine-grained error information" (e.g., what enctypes are supported, salts, etc.) to be provided to unauthenticated clients in order for them to authenticate. Anyways, when I'm done, if you set |
ba739f6
to
a0b37aa
Compare
I think this is almost ready for code review. The code is getting excercised, but now we're now not testing |
a0b37aa
to
9829b81
Compare
And now with testing. |
@riastradh would you like to do a code review? |
9829b81
to
9cd47ec
Compare
I've also added two somewhat unrelated commits, one to speed up |
I might as well do the here-document thing for most uses of |
f0c1008
to
93bcc1d
Compare
I've pushed the extraneous commits separately to |
93bcc1d
to
3433d6b
Compare
3433d6b
to
6983674
Compare
9d1a9cf
to
a2e0258
Compare
Also minimizing the
This is due to a) the We can further minimize the |
krb5_mk_error_ext() with a NULL server name would generate a KRB-ERROR with its sname field set to a zero-component principal name. This causes Java's Krb5 client to throw an IllegalArgumentException with `Empty nameStrings not allowed` as its message. Now krb5_mk_error_ext() with a NULL server name will set the sname field to a one-component name with the one component being "<>". We also minimize the srealm, setting it to "<>" as well.
a2e0258
to
a652513
Compare
a652513
to
5cbe4e0
Compare
5cbe4e0
to
4b9cf7b
Compare
Thanks @nicowilliams for putting the explanation about Samba's strange NOT_FOUND_HERE handling into the code, that will help others understand our strange RODC hook. The code looks pretty good to me at an initial glance. |
See #1216. This change will drop the max UDP reply size to 500 bytes, causing the KDC to reply to all requests sent via UDP with a
KRB5_ERR_RESPONSE_TOO_BIG
error that causes clients to switch to using TCP.