On 08/28/2015 06:25 PM, l(a)avc.su wrote:
Hello.
I've configured domain membership for one linux server, and now I'm
trying to understand one thing. I can't figure out how SASL-GSSAPI
encrypts LDAP requests and GC interactions. As long as I understood
Kerberos, it's a protocol solely for authentication, and SASL-GSSAPI
gives it ability to encrypt all data transactions between
authenticated hosts. But this encryption is not mandatory.
I've done several queries via 'id' utility to generate traffic, and
captured it. All I can see is LDAP traffic to 389/tcp and 3268/tcp,
which is encrypted. I can decrypt it by loading host's keytab to
Wireshark.
We've disabled anonymous and insecure binds (without integrity
checking or SSL/TLS encryption) in AD, and didn't adjust minssf/maxssf
parameters on Linux. As long as I understood, AD does not require
whole session encryption, neither does Linux.
All authentication is done in SSSD (authconfig --enablesssd
--enablesssdauth).
To summarize: I want to understand, why SASL-GSSAPI encrypts whole
connection and not just auth phase, so I could be sure that one day
all connections wouldn't appear in plaintext on the network.
If I had more experience in programming, I've could find the answer in
source code (all hail to opensource) to fullfill my curiosity, but
unfortunately I can't do that, so I'll appreciate any help/hints/links
on the topic.
Kind regards.
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
GSSAPI supports both authentication and encryption. It is a part of the
standard.
Please check GSSAPI documentation for more details.
It is unfortunate that not many people use this encryption capability
and know about it.
Leveraging this encyption for the whole session allows avoiding use of
the TLS for session confidentiality which requires additional overhead
in dealing with certificates when there is really no need to do so.
As it is a part of standard, I do not see a reason why suddenly your
traffic would become plain text ever.
--
Thank you,
Dmitri Pal
Engineering Director, Identity Management and Platform Security
Red Hat, Inc.