Thread: [Perlgssapi-users] Client/Server Question
Brought to you by:
achimgrolms
Menu
▾
▴
perlgssapi-users
|
From: Tuc at T-B-O-H.N. <ml...@t-...> - 2006-09-21 02:39:55
|
Hi,
I don't know if I'm WAY WAY WAY off, but lets see. :)
I'm trying to write a perl program to replace a
Windows based program using SSPI. I was under the impression
that GSSAPI could be used to handle SSPI transactions somehow.
I first decided to take the gss-server.pl in the example
directory and use it as a starter. I started it on port 2068
and started my application. It seemed to die so I made a few
mods to the server mostly not to print anything if whats read
from the socket is empty, and then when it does contain
something, not to decode it. It looks like :
print "SERVER::accepted connection from client ...\n";
my $gss_input_token =3D <$client_socket>;
if (length($gss_input_token) ) {
print "SERVER::received token - Before $gss_input_token\n";
# $gss_input_token =3D decode_base64($gss_input_token);
# print "SERVER::received token - After $gss_input_token\n";
print "SERVER::received token (length is " . length($gss_input_to=
ken) .
"):\n";
my $status =3D GSSAPI::Context::accept(
$server_context,
GSS_C_NO_CREDENTIAL,
$gss_input_token,
GSS_C_NO_CHANNEL_BINDINGS,
my $gss_client_name,
my $out_mech,
my $gss_output_token,
my $out_flags,
my $out_time,
my $gss_delegated_cred);
When I run it it outputs :
./gss-server.pl: -name not specified, using hostname result [SOME.t-b-o-h=
.net]
./gss-server.pl: using [SOME.t-b-o-h.net:2068]
SERVER set environment variable KRB5_KTNAME to FILE:/etc/krb5.keytab
Listening on port 2068 ...
SERVER::waiting for request ...
SERVER::accepted connection from client ...
Use of uninitialized value in length at ./gss-server.pl line 79.
SERVER::waiting for request ...
SERVER::accepted connection from client ...
SERVER::received token - Before NT8NTLMSSP=A21 ((
SERVER::received token (length is 47):
Unable to accept security context:
MAJOR:: A token was invalid
MINOR::Unknown error: 0
Segmentation fault (core dumped)
I went back to the original server and started it
the same way, then used the client from the examples directory.
I invoked :
./gss-client.pl -hostname=3DSOME.t-b-o-h.net -prodid=3Dtest -port=3D2068
CLIENT:
./gss-client.pl: using [te...@SO...:2068]
CLIENT::principal [te...@SO...] means going to communicate with=
server name [test/SOM...@T-...]
Use of uninitialized value in subroutine entry at ./gss-client.pl line 88.
CLIENT::Unable to initialize security context:
MAJOR:: Miscellaneous failure (see text)
MINOR::open(/tmp/krb5cc_0): No such file or directory
SERVER:
asgard# ./gss-serveroriginal.pl --keytabfile=3D/etc/krb5.keytab --port=3D=
2068
./gss-serveroriginal.pl: -name not specified, using hostname result [SOME=
.t-b-o-h.net]
./gss-serveroriginal.pl: using [SOME.t-b-o-h.net:2068]
SERVER set environment variable KRB5_KTNAME to FILE:/etc/krb5.keytab
Listening on port 2068 ...
SERVER::waiting for request ...
SERVER::accepted connection from client ...
Use of uninitialized value in subroutine entry at ./gss-serveroriginal.pl=
line 78.
SERVER::received token (length is 0):
SERVER::waiting for request ...
Should the client/server pair work properly? Is there anyone
that might have an idea why its also coring?
Thanks, Tuc
|
|
From: Achim G. <ac...@gr...> - 2006-09-21 09:14:58
|
> Should the client/server pair work properly? Is there anyone > that might have an idea why its also coring? 1. SSPI is the Win32 API to Windows Authentication system. SSPI is able to deal with the GSSAPI protocol, Kerberos5 over GSSAPI (the protocol) for example. GSSAPI.pm is not an interface to SSPI. GSSAPI.pm is an interface to GSSAPI (the C-interface, RFC 2744). Maybe in future I am going to write a Perl-Wrapper to Win32-API SSPI to make Perlskripts on Windows use the SSPI directly. As a workaround you can build GSSAPI.pm against MIT Kerberos for Windows. 2. Can you use the versions from Subversion repository http://sourceforge.net/projects/perlgssapi/ (I've added workarounds to the client/server scripts). 3. GSSAPI.pm has a bug (I have added it). to avoid you can use a quick workaround and change all lines of type my $out_mech, to undef in your code. example: my $status = GSSAPI::Context::accept( $server_context, GSS_C_NO_CREDENTIAL, $gss_input_token, GSS_C_NO_CHANNEL_BINDINGS, my $gss_client_name, undef, my $gss_output_token, my $out_flags, my $out_time, my $gss_delegated_cred); Let me know what happens then an let me know the output. Achim |
|
From: Massimiliano M. <mas...@ce...> - 2006-10-05 09:03:16
|
Hi! Now I've some clear ideas on my mind. I think you remember my webservice problems. Now I now what SPNEGO stands for. It is an extension of the HTTP that creates some TCP connection for having mutual authentication BEFORE the GET. I'm wrong? Now, since I cannot have mutual authentication because I'm in a webservice, and I would like to reach this auth in some way, I think I'll study SPNEGO. But, for now, my problem is: I've the token for my service. If I resend the token to the kerberos, this token has the same nonce, so kdc find the Replay Attack. If I can create a nonce=nonce+1, everything should be OK. How can I? (I hope you'll remember my problem, otherwise, I can explain ... let me know) Thanks! -- Massimiliano Masi http://www.comunidelchianti.it/~max |
|
From: Achim G. <ac...@gr...> - 2006-10-05 17:07:27
|
On Thursday 05 October 2006 11:03, you wrote: > Hi! > > Now I've some clear ideas on my mind. > > I think you remember my webservice problems. > > Now I now what SPNEGO stands for. It is an extension of the > HTTP that creates some TCP connection for having mutual > authentication BEFORE the GET. I'm wrong? You are wrong. - SPNEGO is an GSSAPI-mechanism, designed to do Negotiaton of GSSAPI-mechanism to choose. - <http://www.kerberosprotocols.org/index.php/Draft-brezak-spnego-http-03.txt> describes how GSSAPI-Autentication is used in HTTP-Autentication. Achim |
|
From: Massimiliano M. <mas...@ce...> - 2006-10-05 14:17:26
|
Hi, Maybe I've found a solution (with some helps). Doens't matter on which transport layer we're using. My problem is how to maintain a state. So, I can create the context, and receive in the client the mutual token. The server, before return the mutual token, and drop the connection, simply stores the temporary key in his disk in an hash, where the key of the hash can be a random number used as cookie. The client, at the second soap messages, sends the session key and this cookie. The server loads the key and can use GSS_wrap() and GSS_unwrap() for the following messages. Is it right? But. What's happen if someone replay the second message? I need to use anonymous https connection... Mmmmm. Any hints? -- Massimiliano Masi http://www.comunidelchianti.it/~max |
|
From: Achim G. <ac...@gr...> - 2006-10-05 17:19:12
|
On Thursday 05 October 2006 16:17, Massimiliano Masi wrote: > Hi, > > Maybe I've found a solution (with some helps). Doens't matter on which > transport layer we're using. My problem is how to maintain a state. > > So, I can create the context, and receive in the client the > mutual token. The server, before return the mutual token, I do not understand why you want to use mutual authentication (round trip of tokens). If the server's identity is ensured by HTTPS, you dont' need mutual auth, you only meed simple authentication (only one SOAP message). I do not undertstand why you need mutual auth. Achim |
|
From: Massimiliano M. <mas...@ce...> - 2006-10-06 09:41:42
|
Hi, On Thursday 05 October 2006, alle 19:19, Achim Grolms wrote: > I do not understand why you want to use mutual authentication > (round trip of tokens). Because for now I'm in HTTPs, but I would like to remove the HTTPS. This because I've some problem accessing the CA for validating the message. I was thinking: don't care about the transportation level. Every message are sent from the client to the server with soap messages. The only thing that I've to do is to maintain a session between the client and the server, for example an unique ID used from the server for retrieving the session key. But, How? Thanks -- Massimiliano Masi http://www.comunidelchianti.it/~max |
|
From: Achim G. <ac...@gr...> - 2006-10-06 11:36:13
|
On Friday 06 October 2006 11:41, Massimiliano Masi wrote: > I was thinking: don't care about the transportation level. > Every message are sent from the client to the server > with soap messages. The only thing that I've to do > is to maintain a session between the client and the server, > for example an unique ID used from the server for retrieving the > session key. > > But, How? Bookkeeping. Achim |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X