steelman
commented
5 months ago Ping?
Open steelman opened 9 months ago
steelman
commented
5 months ago Ping?
simo5
commented
5 months ago The reason why SSPI does not implement it is that it is unsafe, and can lead to MITM scenarios, especially with protocols like NTLMSSP.
I am not entirely sure we should provide this functionality from request-gssapi, because it is bound to be used without understanding opening up users of the application to bad surprises later.
I think at the very least these should not be common options provided in the function signature, and instead accessors you need to explicitly find and set individually after the HTTPSPNEGOAuth object has been instantiated.
ie:
>>> import requests
>>> from requests_gssapi import HTTPSPNEGOAuth
>>> gssapi_auth = HTTPSPNEGOAuth()
>>> gssapi_auth.dns_canonicalize_hostname(True)
>>> gssapi_auth.use_reverse_dns(True)
>>> r = requests.get("http://example.org", auth=gssapi_auth)This will discourage casual setting and each of the effects can be documented in a doc string for the accessor.
The doc string MUST contain warnings that describe why these options are BAD ideas, and point to the relvant security sections of the RFC for a full description.
Optionally resolve hostname via CNAME recrord to its canonical form (A or AAAA record). Optionally use reverse DNS query.
Such code is necessary on Windows platforms where SSPI (unlike MIT Kerberos[1]) does not implement such operation and it is applications' responsibility[2] to take care of CNAME resolution. However, the code seems universal enough to put it into the library rather than in every single program using requests_gssapi.
[1] https://github.com/krb5/krb5/blob/ec71ac1cabbb3926f8ffaf71e1ad007e4e56e0e5/src/lib/krb5/os/sn2princ.c#L99 [2] https://learn.microsoft.com/en-us/previous-versions/office/sharepoint-server-2010/gg502606(v=office.14)?redirectedfrom=MSDN#kerberos-authentication-and-dns-cnames