[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#976156: marked as done (libapache-mod-auth-kerb probably shouldn't be released in its current form)

Your message dated Fri, 05 Apr 2024 17:27:47 +0000
with message-id <[🔎] E1rsnLv-00Fr8g-I4@fasolo.debian.org>
and subject line Bug#1068262: Removed package(s) from unstable
has caused the Debian Bug report #976156,
regarding libapache-mod-auth-kerb probably shouldn't be released in its current form
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
976156: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=976156
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
package: libapache-mod-auth-kerb
severity: serious
version: 5.4-2.4
tags: security
justification: unmaintained with security weaknesses

Hi.  As part of a recent krb5 transition, I took a look at
libapache-mod-auth-kerb.
As part of that transition, libapache-mod-auth-kerb was removed from
testing.
I think that in its current state, that's a good idea.
So I'm opening a serious bug as Kerberos maintainer, questioning whether
libapache-mod-auth-kerb uses Kerberos securely.
If someone is going to step up and agree to spend real time maintaining
libapache-mod-auth-kerb, and they choose to downgrade this bug, I have
no objection.
What I don't want to see happen is the package continue to be vaguely
unmaintained and be released in its current form.

There are better replacements for  this package already in Debian.
My recommendation would be that for spnego authentication use
libapache2-mod-auth-gssapi.
For basic authentication use PAM and libpam-krb5 or libpam-sss.

The two biggest security issues I see are:

1) Vulnerable to dictionary attacks because  of old Kerberos API usage.
Kerberos as designed is vulnerable to dictionary attacks.  There is a
mechanism called timestamp (or encrypted challenge) preauthentication in
which  the client rather than the KDC produces the attackable quantity.
That way, you need to observe an exchange with a legitimate user in
order to attack a password.
libapache-mod-auth-kerb supports that.
However if you can observe exchanges between the webserver and KDC, you
can attack the passwords.

Modern Kerberos has a facility called FAST  that prevents this type of
dictionary attack by encrypting the entire Kerberos exchange.
Libapache-mod-auth-kerb does not support FAST because it does not use
the right APIs to provide an armour ticket to the Kerberos library.

2) Rather than using the verify_init_creds API within the Kerberos
library, libapache-mod-auth-kerb open-codes its own initial credentials
verification API based on old code extracted from the Kerberos library.
I am concerned that this code may have been improved and enhanced in
security relevant ways in the many years since it was extracted.
I'd recommend this be audited.

3) Replay cache usage.  The code currently doesn't provide a replay
cache for SPNEGO tokens.
I am not sure this is a good idea, and comments in the code indicate it
is a security problem.
It's a bit tricky.  It's quite possibly the case that replay caches are
not needed provided that TLS is used for the HTTP connection, and that
the cost of replay caches is too high.

I think this should be audited, and either the comments in the code
explaining that not using replay caches are a security problem replaced
with an explanation of why they are not (or turn on the replay cache).
The bugs in MIT Kerberos 1.3 that made replay caches problematic are not
an issue in 2020.

Again, I'm happy if someone steps up to spend significant effort
modernizing and maintaining the package and wants to downgrade this bug.
Be aware that you probably end up becoming upstream as well.

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Version: 5.4-3+rm

Dear submitter,

as the package libapache-mod-auth-kerb has just been removed from the Debian archive
unstable we hereby close the associated bug reports.  We are sorry
that we couldn't deal with your issue properly.

For details on the removal, please see https://bugs.debian.org/1068262

The version of this package that was in Debian prior to this removal
can still be found using https://snapshot.debian.org/.

Please note that the changes have been done on the master archive and
will not propagate to any mirrors until the next dinstall run at the
earliest.

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmaster@ftp-master.debian.org.

Debian distribution maintenance software
pp.
Thorsten Alteholz (the ftpmaster behind the curtain)

--- End Message ---
Reply to: