cURL / Mailing Lists / curl-library / Single Mail

curl-library

RE: krb4 and CURLOPT_KRBLEVEL

From: Steve Holme <steve_holme_at_hotmail.com>
Date: Sat, 15 Nov 2014 23:23:05 +0000

On Sat, 15 Nov 2014, Michael Osipov wrote:

> > I have prepared a patch to remove this (see attached), however, from
> > reading the libcurl code (security.c) and associated comments it seems
> > more of a generic "Kerberos" option. Does anyone know if it is used
> > for Kerberos 5 at all?
>
> It isn't, this is a FTP security extension command. See
> http://tools.ietf.org/html/rfc2228

Cheers Michael - that helps quite a bit.

> > If so, then should we update the option so that it is enabled when
> > KERBEROS5 support is detected or shall I continue to remove it as
> > planned?
>
> At best disable.
>
> > If we remove it, should we tidy up the libcurl code, removing it and
> > marking CURLOPT_KRBLEVEL as deprecated?
>
> Yes.

Sounds like a plan - I'll add it to my December TODO list and in the meantime see what other feedback comes in ;-)

> > Other than removing it, the main reason I ask is... Do I need to
> > support this as part of the SASL Kerberos 5 work I am doing - either
> > in the SSPI code that I added in August, or the new GSS-API code that
> > I am currently working on?
>
> You don't need that for SASL because SASL use different terms for that.

Cheers.

> If you take another close look, you'll see that gss_seal is used and this is exactly
> the same as a SASL QOP which I told you about recently.

Reading the above RFC it did seem like there was a bit of overlap between what the PROT command is trying to do and auth-int and auth-conf from SASL's QOP values.

> So that option was/is not used with Kerberos 4 but can be used with
> Kerberos 5 too.

Would you ever want to use it with Kerberos 5 or would you only use the encryption part of Kerberos 5 rather than the authentication part here? Am I right in thinking that you could authenticate FTP with clear text, but then use a protocol protection of PRIVATE and let Kerberos 5 do that encryption for you?

> At best, we need someone who uses that stuff in the real world. In my
> opinion, stuff has been contributed and never been reviewed again. :-(

Yep. I wouldn't mind learning more about FTP and updating its authentication. For example I added Kerberos 5 support via SSPI to the TODO list, add other mechanisms if FTP supports them, and try and remove some of the "Blocking" code in the process - but at the moment, as you know, I'm busy with other things in curl at the moment.

Kind Regards

Steve

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-11-16