I was doing some testing today, and came across a potential security issue.
Consider the following situation:
multiple realms can connect, so auth_gss_realm is NOT set
auth_gss on;
auth_gss_allow_basic_fallback on;
If spnego is provided, everything works as intended, no problem.
However, if spnego is not provided and basic fallback is on (which is the default), and I provide a username without the realm (i.e. instead of username@domain I simply use username) then the remote_user variable is set to that username regardless of the password provided.
In the logs, an error is shown: Kerberos error: Unable to parse username but it still sets the remote_user variable even if authentication failed and proceed. This makes it possible to impersonate other users and basically login as anyone else.
I found #93 which specifies that basic auth fallback only works with hardcoded realm.
If that is really the case, and considering basic fallback is on by default, an error should be thrown if the realm isn't hardcoded, and it should not set remote_user regardless.
Is there a way to prevent this behavior currently?
I was doing some testing today, and came across a potential security issue. Consider the following situation:
multiple realms can connect, so auth_gss_realm is NOT set
If spnego is provided, everything works as intended, no problem.
However, if spnego is not provided and basic fallback is on (which is the default), and I provide a username without the realm (i.e. instead of username@domain I simply use username) then the
remote_user
variable is set to that username regardless of the password provided. In the logs, an error is shown:Kerberos error: Unable to parse username
but it still sets the remote_user variable even if authentication failed and proceed. This makes it possible to impersonate other users and basically login as anyone else.I found #93 which specifies that basic auth fallback only works with hardcoded realm. If that is really the case, and considering basic fallback is on by default, an error should be thrown if the realm isn't hardcoded, and it should not set
remote_user
regardless.Is there a way to prevent this behavior currently?