rptmat57
commented
2 years ago never mind I am late to the game. I was using a version < 1.1.1 new version fixed it
Closed rptmat57 closed 2 years ago
rptmat57
commented
2 years ago never mind I am late to the game. I was using a version < 1.1.1 new version fixed it
I was doing some testing today, and came across a potential security issue. Consider the following situation:
multiple realms can connect, so auth_gss_realm is NOT set
If spnego is provided, everything works as intended, no problem.
However, if spnego is not provided and basic fallback is on (which is the default), and I provide a username without the realm (i.e. instead of username@domain I simply use username) then the
remote_uservariable is set to that username regardless of the password provided. In the logs, an error is shown:Kerberos error: Unable to parse usernamebut it still sets the remote_user variable even if authentication failed and proceed. This makes it possible to impersonate other users and basically login as anyone else.I found #93 which specifies that basic auth fallback only works with hardcoded realm. If that is really the case, and considering basic fallback is on by default, an error should be thrown if the realm isn't hardcoded, and it should not set
remote_userregardless.Is there a way to prevent this behavior currently?