From owner-freebsd-security@freebsd.org Sat Dec 12 10:21:27 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 3B8A64B054C for ; Sat, 12 Dec 2020 10:21:27 +0000 (UTC) (envelope-from ml@netfence.it) Received: from soth.netfence.it (mailserver.netfence.it [78.134.96.152]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mailserver.netfence.it", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4CtNwk0H79z4jn4 for ; Sat, 12 Dec 2020 10:21:25 +0000 (UTC) (envelope-from ml@netfence.it) Received: from alamar.ventu (mailserver.netfence.it [78.134.96.152]) (authenticated bits=0) by soth.netfence.it (8.16.1/8.16.1) with ESMTPSA id 0BCALE6k048861 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO); Sat, 12 Dec 2020 11:21:14 +0100 (CET) (envelope-from ml@netfence.it) X-Authentication-Warning: soth.netfence.it: Host mailserver.netfence.it [78.134.96.152] claimed to be alamar.ventu Subject: Kerberos: base or port? [Was: FreeBSD Security Advisory FreeBSD-SA-20:33.openssl] To: Benjamin Kaduk Cc: freebsd-security@freebsd.org References: <20201209230300.03251CA1@freefall.freebsd.org> <0ccfbeb4-c4e1-53e6-81e8-112318cd9bf1@netfence.it> <20201211202315.GK64351@kduck.mit.edu> From: Andrea Venturoli Message-ID: <08c18c5e-d0fe-16c2-dd17-af5162fd8716@netfence.it> Date: Sat, 12 Dec 2020 11:21:14 +0100 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:78.0) Gecko/20100101 Thunderbird/78.5.1 MIME-Version: 1.0 In-Reply-To: <20201211202315.GK64351@kduck.mit.edu> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.83 X-Rspamd-Queue-Id: 4CtNwk0H79z4jn4 X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=pass (policy=none) header.from=netfence.it; spf=pass (mx1.freebsd.org: domain of ml@netfence.it designates 78.134.96.152 as permitted sender) smtp.mailfrom=ml@netfence.it X-Spamd-Result: default: False [-1.80 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:78.134.96.152]; MIME_GOOD(-0.10)[text/plain]; HAS_XAW(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[78.134.96.152:from]; SPAMHAUS_ZRD(0.00)[78.134.96.152:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; NEURAL_HAM_SHORT(-1.00)[-1.000]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[netfence.it,none]; NEURAL_SPAM_LONG(1.00)[1.000]; RCVD_COUNT_ONE(0.00)[1]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:35612, ipnet:78.134.0.0/17, country:IT]; RCVD_TLS_ALL(0.00)[]; SUBJECT_HAS_QUESTION(0.00)[]; MAILMAN_DEST(0.00)[freebsd-security] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Dec 2020 10:21:27 -0000 On 12/11/20 9:23 PM, Benjamin Kaduk wrote: > It would be useful to give more specifics on the failures, as there's a few > classes of things that can go wrong. I thought this would be OT in this thread, but I'll gladly comply :) > It doesn't look like openssl from > ports attempts to support the TLS ciphers with kerberos, which would rule > out the "openssl tries to depend on kerberos" class of issues. Not sure I understand (too much ignorance on my part). > I assume, > then, that you're running into API conflicts where hcrypto and libcrypto > present similar-named symbols Actually, I didn't get that far: /usr/ports/Mk/Uses/gssapi.ml just forbids compilation if using OpenSSL from ports and GSSAPI from base: > IGNORE= You are using OpenSSL from ports and have selected GSSAPI from base, please select another GSSAPI value Now that I know there are patches for 11.4, I hope I'm not going to need OpenSSL from ports, so this is losing interest for me. > (The heimdal in base is quite old anyway, and using an external kerberos > would be recommended in general if you're using it for much.) This is an interesting statement. I barely know what Kerberos is: granted, I know what it was designed for and what it provides, but for me it's more or less just a dependency of Samba and related software. My uses cases are: _ Samba AD DC; _ Samba AD member file server; _ various ways of authenticating against Samba (winbindd, pam_ldap, nss_ldap, saslauthd, etc...); _ kerberizing NFSv4 has been in my todo list for a while (but with too low priority for now :) In spite of everything working, should I abandon Heimdal from base? For Heimdal from ports? (Consider Samba is using it's own bundled Heimdal, so this would be for pam_ldap, nss_ldap, saslauthd, ....). bye & Thanks av.