Bug#644271: iceweasel: krb5 negotiation relies on dns to normalize GSS requests
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Tue Oct 4 17:05:32 UTC 2011
Package: iceweasel
Version: 7.0.1-1
Severity: normal
I'm connecting to a web server at foo.example.org which uses Negotiate
HTTP authentication (SPNEGO/GSSAPI/krb5). The reverse dns lookup for
the servers's IP address is bar.example.org.
..example.org is listed in the iceweasel profile's
network.negotiate-auth.trusted-uris setting.
Iceweasel (or the underlying gss libs?) appears to use a reverse DNS
lookup to normalize foo.example.org to bar.example.org, so that the
krb5 ticket fetched is for HTTP/bar.example.org, even though i'm
connecting to https://foo.example.org ("...foo..." is displayed in the URL
bar, and bar is never displayed to the user anywhere).
This seems problematic -- poisoned DNS could effectively cause the
user to authenticate to a service without their knowledge.
FWIW, the analogous dns-canonicalization when using GSSAPI in debian's
OpenSSH is turned off by default. From ssh_config(5):
GSSAPITrustDns
Set to “yes to indicate that the DNS is trusted to securely
canonicalize” the name of the host being connected to. If “no,
the hostname entered on the” command line will be passed
untouched to the GSSAPI library. The default is “no”. This
option only applies to protocol version 2 connections using GSS‐
API.
Perhaps iceweasel should follow OpenSSH's lead here?
If you think this bug belongs somewhere lower in the stack than
iceweasel, feel free to re-assign of course.
Thanks for all your work on iceweasel and friends in debian. It's
much appreciated.
Regards,
--dkg
-- Package-specific info:
-- Addons package information
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (500, 'testing'), (200, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 3.0.0-1-686-pae (SMP w/1 CPU core)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages iceweasel depends on:
ii debianutils 4.0.2
ii fontconfig 2.8.0-3
ii libc6 2.13-21
ii libgcc1 1:4.6.1-4
ii libgdk-pixbuf2.0-0 2.24.0-1
ii libglib2.0-0 2.28.6-1
ii libgtk2.0-0 2.24.4-3
ii libnspr4-0d 4.8.9-1
ii libstdc++6 4.6.1-4
ii procps 1:3.2.8-11
ii xulrunner-7.0 7.0.1-1
iceweasel recommends no packages.
Versions of packages iceweasel suggests:
ii libgssapi-krb5-2 1.9.1+dfsg-1
ii mozplugger <none>
ii ttf-lyx 2.0.1-1
ii ttf-mathematica4.1 <none>
ii xfonts-mathml 4
Versions of packages xulrunner-7.0 depends on:
ii libasound2 1.0.24.1-4
ii libatk1.0-0 2.0.1-2
ii libbz2-1.0 1.0.5-7
ii libc6 2.13-21
ii libcairo2 1.10.2-6.1
ii libdbus-1-3 1.4.16-1
ii libevent-1.4-2 1.4.14b-stable-1
ii libfontconfig1 2.8.0-3
ii libfreetype6 2.4.6-2
ii libgcc1 1:4.6.1-4
ii libgdk-pixbuf2.0-0 2.24.0-1
ii libglib2.0-0 2.28.6-1
ii libgtk2.0-0 2.24.4-3
ii libhunspell-1.2-0 1.2.14-4
ii libjpeg8 8c-2
ii libmozjs7d 7.0.1-1
ii libnspr4-0d 4.8.9-1
ii libnss3-1d 3.12.11-3
ii libpango1.0-0 1.28.4-3
ii libpixman-1-0 0.22.2-1
ii libreadline6 6.2-4
ii libsqlite3-0 3.7.7-2
ii libstartup-notification0 0.12-1
ii libstdc++6 4.6.1-4
ii libvpx0 0.9.7.p1-1
ii libx11-6 2:1.4.4-2
ii libxext6 2:1.3.0-3
ii libxrender1 1:0.9.6-2
ii libxt6 1:1.1.1-2
ii zlib1g 1:1.2.3.4.dfsg-3
Versions of packages xulrunner-7.0 suggests:
ii libcanberra0 0.28-1
ii libdbus-glib-1-2 0.94-4
ii libgconf2-4 2.32.4-1
ii libgnomeui-0 2.24.5-2
ii libgnomevfs2-0 1:2.24.4-1
ii libnotify4 0.7.4-1
-- no debconf information
More information about the pkg-mozilla-maintainers
mailing list