search

pythongssapi / requests-gssapi

An authentication handler for using GSSAPI with Python Requests. Drop-in replacement for old requests-kerberos.
Other
32 stars 21 forks source link

HTTPSPNEGOAuth does not use advertised mechanism in class name as GSS-API mech #41

Closed michael-o closed 2 years ago

michael-o commented 3 years ago

In the init method: https://github.com/pythongssapi/requests-gssapi/blob/74766a6ed1401eb8570ee7c5786cff25475edd4f/requests_gssapi/gssapi_.py#L110-L112 None is passed to the mech which means MIT Kerberos/Heimdal decide which will be almost always Kerberos 5 and not SPNEGO.

This causes two problems:

  1. I believe this violates RFC 4178 section 3.2 a) The GSS-API initiator invokes GSS_Init_sec_context() as normal, but requests that SPNEGO be used. SPNEGO can either be explicitly requested or accepted as the default mechanism. Since SPNEGO isn't the default mech in both GSS-API implementation nor is SPNEGO passed as OID it does not comply with this RFC.
  2. Not a SPNEGO token is sent, but a Kerberos 5 one, some GSS-API implementations choke on this token, e.g, Java GSS rejects this token because it is not wrapped in a SPNEGO token as required by RFC.

If using Java GSS on the target server it always requires to provide custom value to this auth class to meet the above which is expected to be default. Other OSS implementations correctly pass a SPNEGO OID w/o a ctor param to modify it and work flawlessly, e.g., browsers, libcurl, libserf.

Willing to provide a PR for this. I am currently using this as an unnecessary workaround.

Question on SO: https://stackoverflow.com/q/57729499/696632 and there are numerous other reports on the internet.

michael-o commented 2 years ago

Sample exception from a JGSS acceptor:

2021-12-22T17:06:02.350 WARNUNG [https-openssl-apr-8444-exec-43] net.sf.michaelo.tomcat.authenticator.SpnegoAuthenticator.doAuthenticate The Negotiate (SPNEGO) authentication token is invalid: YIIM2gYJKoZIhvcSAQICAQBuggzJMIIMxaADAgEFoQMCAQ6iBwMFAA...0WW16gS+vSg
        GSSException: No credential found for: 1.2.840.113554.1.2.2 usage: Accept
                at sun.security.jgss.GSSCredentialImpl.getElement(GSSCredentialImpl.java:600)
                at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:317)
                at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
                at net.sf.michaelo.tomcat.authenticator.SpnegoAuthenticator.doAuthenticate(SpnegoAuthenticator.java:148)
                at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:626)