From nobody Mon Jul 28 22:49:28 2025 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4brYZj30BLz63YLc; Mon, 28 Jul 2025 22:49:49 +0000 (UTC) (envelope-from rick.macklem@gmail.com) Received: from mail-ed1-x52a.google.com (mail-ed1-x52a.google.com [IPv6:2a00:1450:4864:20::52a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4brYZh72P8z4Fhl; Mon, 28 Jul 2025 22:49:48 +0000 (UTC) (envelope-from rick.macklem@gmail.com) Authentication-Results: mx1.freebsd.org; none Received: by mail-ed1-x52a.google.com with SMTP id 4fb4d7f45d1cf-6154655c8aeso2223253a12.3; Mon, 28 Jul 2025 15:49:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1753742982; x=1754347782; darn=freebsd.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=1tQchiocoe9OXuYpcDIobAu7fdG/jlkrD2jSyfDqJ1k=; b=TGAB9+fNL9pyfcdnIR2HShmoFDI3xJpgOCMBLJK03hCYrQRTOR5CfP4tvj9rT3mDxB 7RABx6+yb3ouSG//chL2vBZRD9oAfed/WXND7ub8O5ZKTgqm/MxwuTLSAXTKsSNh4F7a EVwd6l21vCbPEoXs/EUIEUJ2CUbzbJJzacaiE24HbZgUeeFYbqfkT7jjrxjUji7uoUWY qQT9xrMRJF+7MistImQegnkOXKqnqvj8TCbxcm1NC5LcqdINGxn9VALUMHeGD2dz14JS p+s9FgEP0Cp35ff9MhAWIjeEG38/qfRZXMLo/+PT/Y3Klj+jwdnwEmn80mLo/CCh4T7s 3XFw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1753742982; x=1754347782; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=1tQchiocoe9OXuYpcDIobAu7fdG/jlkrD2jSyfDqJ1k=; b=lyeol0mevieWnTAUIG6mTdb3WS3HgRMbAfOwNRbeM2mwRdqnqksMONRDfMNws43xY6 HelULzOwE3zdgEnsRY9kz1xm6uyUuKB0ioIYHXeBLZao5xt/fwDYRK/nIiV6+Y+3C92X 4nfkmhVaFtag2hKzTApCh0aRXcwkgVGIDwbV6psQO4Q1gGIeEolAaPkDZRtmCxjTZNpU dOapYFLbZ9Kt9yYo5mNpJ50y15zQG3zSiAxiiWb0FdTOJpPIVsLA5Sx5kmicZ41+1ihv xHrNkjRqXBcKeZmfRJ/rrD9zrhEvd/fVZ0Ew+DVnJu8OnUVMeArcqEub0q/LHjpjQefH uKiQ== X-Forwarded-Encrypted: i=1; AJvYcCUMvtSX/4KYR5G4x4r43MlhNBB/LIaOlbiqGP4PhmwC6trvGioqS2nT7NuDk7Rt63fXrPqMdKIkZxX8qbBWI0KbNc4IyQ==@freebsd.org, AJvYcCV5ZP0QNTaXcqqKI1ZcXxs52AwLQeNo+s3Lf84VLqrVmphnCRNkJOVRHCV8lCANAggzP7J/0BlNcLydREt9EY8=@freebsd.org, AJvYcCW9Z6L8SJpmSYH7J7BXU2DP6z+Ut7H6pluDtYSkJpo0pc4QWpXSmbjQkWKxFMrnp/wBlQ==@freebsd.org, AJvYcCWfGdemkokhkCk4anvZ8qCZHGtT+vaqF54YOmmcJPqHnR6aGilsaysWAHcyNCYCfRx9Kp3yCAng@freebsd.org, AJvYcCXcf/UEs/T8SRzbpNcbi3+M/fCZO7iLGcoLiVmBemBBDI2vzwUTlq3H1slksWq0jjc6fZxqmLeGA3DK0jiIG1m6naQ/cEk=@freebsd.org X-Gm-Message-State: AOJu0YwztgQrE3IfYwl2dURJme/gJMVJQOk4F9ScqPVj+CcCTW3WwUJb A/HADoNlr8ZMyVj4fjuMgTpkPDzErjNqIYHkvy1wIkJ6ZSaCnAucvRYUWrJpOk1/ntstkIT2oFa IWJ1PBD4yCi3ejF+EdzlqH0Ka2OWBJQ== X-Gm-Gg: ASbGncu/Uii8LiZyXHsuA7U0zDcRQWkYG2dnJW2vXTb7bdYUY3fW3xFyfKBnhNPJSeY bWJKXg8S5zYHoIaRBDcfQyZOSl1qIT0RRxJ1HhgJwIrLo3LdD+o9ww9j658ueah1AnUWbwTgjAY 8d/AFXZcEXC0mA53uEsL3yjJxIJ8j0SNwD8W5uf1cy0tgo8o2J3Zil0h1VNWcTu8flpyK0q/r0r PzUsyVskqMluMWwMfqzFrHj6Q3Mt54Una4p1i0= X-Google-Smtp-Source: AGHT+IEuYNCFvn7j505DUpl7fcfs5Do4qL4XiiE/s3b+sI9fxFRQ/VhCO+VhCVgt+j5PiXgIMhwmprw27gxneA1LzHU= X-Received: by 2002:a17:907:7209:b0:ae0:ac28:ec21 with SMTP id a640c23a62f3a-af61730b8dfmr1405882766b.13.1753742982200; Mon, 28 Jul 2025 15:49:42 -0700 (PDT) List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org MIME-Version: 1.0 References: <202507211410.56LEAD6J066633@gitrepo.freebsd.org> <47C3CC37-6F32-4376-900A-B5387B9817D5@freebsd.org> <20250721144645.3BA391BE@slippy.cwsent.com> <20250722155941.AC7EB121@slippy.cwsent.com> In-Reply-To: From: Rick Macklem Date: Mon, 28 Jul 2025 15:49:28 -0700 X-Gm-Features: Ac12FXw3pXtt52JnQVQxCTzW8yTG_QZKwsGa6RA9OYQVh-Ng3u2tOY0ZNWmeCtg Message-ID: Subject: Re: git: c7da9fb90b0b - main - KRB5: Enable MIT KRB5 by default To: Benjamin Kaduk Cc: Konstantin Belousov , Cy Schubert , Jessica Clarke , Cy Schubert , "src-committers@freebsd.org" , "dev-commits-src-all@freebsd.org" , "dev-commits-src-main@freebsd.org" Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 4brYZh72P8z4Fhl X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; TAGGED_FROM(0.00)[]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US] On Mon, Jul 28, 2025 at 3:32=E2=80=AFPM Benjamin Kaduk = wrote: > > On Mon, Jul 28, 2025 at 3:04=E2=80=AFPM Benjamin Kaduk wrote: >> >> >> Note that MIT krb5 provides the gss_krb5_export_lucid_sec_context() API = that does a lot of the work of getting useful bits out of an established GS= S security context. >> > > > > > And a bit more context on what is going on here and why kgssapi has to ca= re: > The GSS-API (RFC 2743) is all about a way to "establish a security contex= t" (i.e., do crypto negotiation, authentication, sometimes authorization, e= tc.) between two entities, the initiator and the acceprot, and then exchang= ing protected messages between the two (which can be either encrypted or ju= st integrity protection tags for otherweise cleartext data); later extensio= ns included the ability to produce identical PRF output on both parties, et= c.. The details are "mechanism-specific", and for this purpose we're exclu= sively talking about the krb5 mechanism. The steps to establish the securi= ty context are complicated and sometimes fiddly, and in the general case ca= n require a large number of round-trips between the initiator and acceptor = before the security context is established. The individual message-protect= ion parts are comparatively simple and amendable to implementation in the k= ernel for processing efficiency. > RFC 2743 also defines functions for GSS_Export_sec_context() and GSS_Impo= rt_sec_context(), that are designed essentially to pass information about a= n established security context from one process to another on the same mach= ine (which are presumably using the same implementation and version of the = implementation), so the contents of the exported blob are opaque and implem= entation-specific. We are abusing that mechanism to export information abo= ut the security context that gssd has established and feed that information= into the kernel implementation of the per-message processing routines. At= present, this necessarily entails knowing the details of the implementatio= n-specific opaque blob that is the "export sec context token", which is wha= t the sys/kgssapi/krb5/krb5_mech.c code is doing. But if we can get the in= formation we want without breaking the abstraction barrier, such as via the= gss_krb5_export_lucid_sec_context() API, we are in a more robust posture o= verall and somewhat future-proofed against future evolution by MIT krb5. Yes, that was my thinking too. > (I note that recent Heimdal versions seem to also expose a gss_krb5_expor= t_lucid_sec_context() API, so part of the problem is just that the Heimdal = in base is so old.) Good to hear, just in case there is a decision to go that way. (At this poi= nt, I doubt that.) I am working on using gss_inquire_sec_context_by_oid(), which I think is ju= st a front-end to gss_krb5_export_lucid_sec_context()? If that doesn't work, I'll switch to gss_krb5_export_lucid_sec_context(). (I am still waiting for the day when there is another mechanism. I have heard rumblings w.r.t. a mechanism for the Oauth stuff, but as far as I know, about all that they did was define an OID for it.) Btw, do you have any experience porting KDC databases from Heimdal to MIT? (At this point, Cy has done it, but after doing so, the passwords all had to be reset. He thought he had used "--decrypt" when he dumped the Heimdal KDC.) rick > > -Ben