Open Radar

 
08-Sep-2011 12:07 PM Ben Poliakoff:
Summary: Regression in Mac OS X Lion's GSS-API flag negotiation breaks kerberos utility

Steps to Reproduce:

1) Build and install "remctl" on OSX Lion (remctl, a well know software package in the Kerberos community, is "a client/server protocol for running single commands on a remote host using Kerberos v5 authentication and returning the output").

2) Execute a remctl command which worked properly in Snow Leopard

Expected Results:

Client and server can communicate via GSSAPI authenticated channel, server returns results of commands to the client.

Actual Results:

GSSAPI authenticated connection cannot be made.  Client reports this error:

  remctl: server did not negotiate acceptable GSS-API flags

Regression:

This is a regression in Lion, presumably due to the replacement of MIT krb5 with Heimdal.  remctl worked properly in previous versions of Mac OS X.

Notes:

Comments from the maintainer of remctl (Russ Albery of Stanford University):

This is the first I've heard of it, I'm afraid.  It implies that something
is broken about GSS-API flag negotiation.  remctld's use of GSS-API is
fairly standard, so my guess is a bug on the Mac OS X side, although I'm
not sure.

Both the server and the client insist on:

    static const OM_uint32 req_gss_flags
        = (GSS_C_MUTUAL_FLAG | GSS_C_CONF_FLAG | GSS_C_INTEG_FLAG);

All those should be very standard.  The client also attempts to negotiate:

    static const OM_uint32 wanted_gss_flags
        = (GSS_C_MUTUAL_FLAG | GSS_C_CONF_FLAG | GSS_C_INTEG_FLAG
           | GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG);

but it doesn't mind if the extra flags aren't supported.  I think Heimdal
doesn't support replay caching by default, but I checked the code and the
client only insists on the required ones.



The remctl software can be found here:

  http://www.eyrie.org/~eagle/software/remctl/