Bug 1481983
| Summary: | koji: Insecure host name canonicalization breaks Kerberos security | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Florian Weimer <fweimer> |
| Component: | koji | Assignee: | Mike McLean <mikem> |
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 28 | CC: | dennis, kevin, mikem |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-04-25 18:34:14 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
This bug appears to have been reported against 'rawhide' during the Fedora 28 development cycle. Changing version to '28'. This message is a reminder that Fedora 28 is nearing its end of life. On 2019-May-28 Fedora will stop maintaining and issuing updates for Fedora 28. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '28'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 28 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. This code does not change the host name that Koji connects to. This function, _serverPrincipal(), is used to determine which Kerberos principal that we generate our auth request for. This is done to handle situations where the server url uses a cname, but the hub's principal is using the actual host name. This behavior is controllable via the `krb_rdns` and `krb_canon_host` options. So, you can turn these off if you don't like them. It is also only used in the older kerberos auth path. The newer gssapi auth path for kerberos does not do this (though note that krb itself has a dns_canonicalize_hostname option that defaults to true). Koji is not using kerberos to validate the server, but only to authenticate. Koji uses ssl to validate the server, and nothing in this function will affect that. Hopefully that answers the questions about this? If there's any further ones, please open an upstream ticket for faster reply. |
This upstream commit uses unsecured DNS to translate the host name. This causes the client to switch to a different host name, not the one in the configuration, thus breaking Kerberos security. commit fc8a8c6582c5e3b7a8a3a4b887061ba7a3f150a1 Author: Mike McLean <mikem> Date: Fri May 13 10:47:55 2016 -0400 parse host from baseurl in _serverPrincipal() krb auth working now diff --git a/koji/__init__.py b/koji/__init__.py index aceaeb5..a7bf055 100644 --- a/koji/__init__.py +++ b/koji/__init__.py @@ -1945,13 +1945,13 @@ class ClientSession(object): def _serverPrincipal(self, cprinc): """Get the Kerberos principal of the server we're connecting to, based on baseurl.""" + + uri = urlparse.urlsplit(self.baseurl) + host, port = urllib.splitport(uri[1]) if self.opts.get('krb_rdns', True): - servername = socket.getfqdn(self._host) + servername = socket.getfqdn(host) else: - servername = self._host - #portspec = servername.find(':') - #if portspec != -1: - # servername = servername[:portspec] + servername = host realm = cprinc.realm service = self.opts.get('krbservice', 'host')