Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

krb5_child couldn't parse pkcs11 objects if token label contains semicolon #7746

Open
lo1ol opened this issue Dec 5, 2024 · 4 comments · May be fixed by #7748
Open

krb5_child couldn't parse pkcs11 objects if token label contains semicolon #7746

lo1ol opened this issue Dec 5, 2024 · 4 comments · May be fixed by #7748

Comments

@lo1ol
Copy link
Contributor

lo1ol commented Dec 5, 2024
edited
Loading

Hi!

I think it could be dangerous too. If token label contains a semicolon, then krb5_child stop read token objects properly. I think it could be a backdoor, because we can pass any pkcs11 lib in this name. Also, I'm not sure what could happen if semicolon will be another object id parts. For example, in object label

Example:

Token name: Token label: Rutoken ECP <no label> pkcs11:mo

Got this in log:
krb5_child.log

(2024-12-05 13:32:53): [krb5_child[302]] [get_pkinit_identity] (0x4000): [RID#5] Got [Rutoken ECP <no label> pkcs11:mo][/opt/aktivco/rtlogon/lib/librtpkcs11ecp.so].
(2024-12-05 13:32:53): [krb5_child[302]] [get_pkinit_identity] (0x4000): [RID#5] Using pkinit identity [PKCS11:module_name=/opt/aktivco/rtlogon/lib/librtpkcs11ecp.so:token=Rutoken ECP <no label> pkcs11:mo:certid=E3E9990F108258E7:certlabel=e3e9990f108258e7].
...

(2024-12-05 13:32:53): [krb5_child[302]] [sss_child_krb5_trace_cb] (0x4000): [RID#5] [302] 1733405573.318464: PKINIT loading identity PKCS11:module_name=/opt/aktivco/rtlogon/lib/librtpkcs11ecp.so:token=Rutoken ECP <no label> pkcs11:mo:certid=E3E9990F108258E7:certlabel=e3e9990f108258e7

(2024-12-05 13:32:53): [krb5_child[302]] [sss_child_krb5_trace_cb] (0x4000): [RID#5] [302] 1733405573.318465: PKINIT opening PKCS#11 module "mo"

(2024-12-05 13:32:53): [krb5_child[302]] [sss_child_krb5_trace_cb] (0x4000): [RID#5] [302] 1733405573.318466: PKINIT PKCS#11 module open failed: unable to load plugin [mo]: mo: cannot open shared object file: No such file or directory
@lo1ol
Copy link
Contributor Author

lo1ol commented Dec 5, 2024
edited
Loading

may be it's a problem of krb5 or p11-kit. I'm not so dived in your code

@sumit-bose
Copy link
Contributor

Hi,

thank you for your report. It looks like libkrb5 does not support escaping the : character, so I will add a patch to error out of any of the inputs contains a :.

bye,
Sumit

sumit-bose added a commit to sumit-bose/sssd that referenced this issue Dec 5, 2024
@sumit-bose
krb5_child: ignore Smartcard identifiers with a ':'
0b72240 
libkrb5 expects the Smartcard identifiers like token name or label in a
single strings separated by ':'. If one of the identifiers contain a ':'
this breaks and since libkrb5 currently does not support escaping of ':'
SSSD will ignore the Smartcard during its pre-auth step to determine
the available authentication methods and will error out if this happens
during the actual authentication step.

Resolves: SSSD#7746
@sumit-bose sumit-bose linked a pull request Dec 5, 2024 that will close this issue
Open
@lo1ol
Copy link
Contributor Author

lo1ol commented Dec 6, 2024

Do I need to report a bug in krb5 repo, or will you do that?

@sumit-bose
Copy link
Contributor

Do I need to report a bug in krb5 repo, or will you do that?

Hi,

I opened a ticket asking to at least document this limitation.

bye,
Sumit

sumit-bose added a commit to sumit-bose/sssd that referenced this issue Dec 12, 2024
@sumit-bose
krb5_child: ignore Smartcard identifiers with a ':'
4ace271 
libkrb5 expects the Smartcard identifiers like token name or label in a
single strings separated by ':'. If one of the identifiers contain a ':'
this breaks and since libkrb5 currently does not support escaping of ':'
SSSD will ignore the Smartcard during its pre-auth step to determine
the available authentication methods and will error out if this happens
during the actual authentication step.

Resolves: SSSD#7746
sumit-bose added a commit to sumit-bose/sssd that referenced this issue Dec 20, 2024
@sumit-bose
krb5_child: ignore Smartcard identifiers with a ':'
cce39f5 
libkrb5 expects the Smartcard identifiers like token name or label in a
single strings separated by ':'. If one of the identifiers contain a ':'
this breaks and since libkrb5 currently does not support escaping of ':'
SSSD will ignore the Smartcard during its pre-auth step to determine
the available authentication methods and will error out if this happens
during the actual authentication step.

Resolves: SSSD#7746
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

krb5_child: ignore Smartcard identifiers with a ':' sumit-bose/sssd
2 participants
@sumit-bose @lo1ol