[jira] [Commented] (HADOOP-15896) Refine Kerberos based AuthenticationHandler to check proxyuser ACL

Fri, 02 Nov 2018 13:00:30 -0700 


    [ 
https://issues.apache.org/jira/browse/HADOOP-15896?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16673610#comment-16673610
 ] 

Daryn Sharp commented on HADOOP-15896:
--------------------------------------

You seriously need to google "kerberos replay attack".

> Refine Kerberos based AuthenticationHandler to check proxyuser ACL
> ------------------------------------------------------------------
>
>                 Key: HADOOP-15896
>                 URL: https://issues.apache.org/jira/browse/HADOOP-15896
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.8.0, 3.0.0-alpha1
>            Reporter: Eric Yang
>            Assignee: Larry McCay
>            Priority: Major
>
> JWTRedirectAuthenticationHandler is based on KerberosAuthenticationHandler, 
> and authentication method in KerberosAuthenticationHandler basically do this:
>  {code}
> String clientPrincipal = gssContext.getSrcName().toString();
>         KerberosName kerberosName = new KerberosName(clientPrincipal);
>         String userName = kerberosName.getShortName();
>         token = new AuthenticationToken(userName, clientPrincipal, getType());
>         response.setStatus(HttpServletResponse.SC_OK);
>         LOG.trace("SPNEGO completed for client principal [{}]",
>             clientPrincipal);
> {code}
> It obtains the short name of the client principal and respond OK.  This is 
> fine for verifying end user.  However, in proxy user case (knox), this 
> authentication is insufficient because knox principal name is: 
> knox/host1.example....@example.com . KerberosAuthenticationHandler will 
> gladly confirm that knox is knox.  Even if the 
> knox/host1.example....@example.com is used from botnet.rogueresearchlab.tld 
> host.  KerberosAuthenticationHandler may not need to change, if it does not 
> have plan to support proxy, and ignores instance name of kerberos principal.  
> For JWTRedirectAuthenticationHandler which is designed for proxy use case.  
> It should check remote host matches the clientPrincipal instance name, 
> without this check, it makes Kerberos vulnerable.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

Reply via email to