Bug #42194 for AnyEvent-XMPP: Domain vs. host and GSSAPI

Tue Jan 06 16:57:54 2009 andi [...] collax.com - Ticket created

Subject:	Domain vs. host and GSSAPI
Date:	Tue, 6 Jan 2009 22:57:33 +0100
To:	bug-AnyEvent-XMPP [...] rt.cpan.org
From:	Andreas Hofmeister <andi [...] collax.com>

I tried to use your module w/o SRV records and with GSSAPI authentication. For once, the host specified for an account in AnyEvent::XMPP::IM::Account was not used - apparently some unfinished business here ... , the first of the two attached patches fixes that. The second patch deals with the situation were the server offers GSSAPI authentication but the client has no ticket. 'client_start()' fails in this situation and the idea is to skip the failing mechanism and try again in the hope that there is some other mechanism available. The patch is somewhat suboptimal as it splits the mechanism string in pieces just after the caller has combined them into a string ... It might be better to pass an array of mechanisms to "send_sasl_auth" in the first place. Anyways, with with patches in place I was able to authenticate against jabberd2 2.2.4 with GSSAPI.

Message body is not shown because sender requested not to inline it.

Wed Jan 07 04:39:54 2009 elmex [...] ta-sa.org - Status changed from 'new' to 'open'

Wed Jan 07 04:39:54 2009 elmex [...] ta-sa.org - Severity Normal added

Wed Jan 07 04:39:54 2009 elmex [...] ta-sa.org - Broken in 0.2 added

Wed Jan 07 04:45:24 2009 elmex [...] ta-sa.org - Correspondence added

Hi! Thanks for the report! On Tue Jan 06 16:57:54 2009, andi@collax.com wrote: Show quoted text

> > I tried to use your module w/o SRV records and with GSSAPI > authentication. For once, the host specified for an account in > AnyEvent::XMPP::IM::Account was not used - apparently some unfinished > business here ... ,

Yes, I actually removed override_* in this version. Seems like I overlooked the code in ::IM::Account. I'll fix it so that it works properly again. I'll also document a bit how to prevent SRV record lookups (by using a numeric port). Show quoted text

> the first of the two attached patches fixes that. > > The second patch deals with the situation were the server offers > GSSAPI authentication but the client has no ticket. 'client_start()' > fails in this situation and the idea is to skip the failing mechanism > and try again in the hope that there is some other mechanism > available. The patch is somewhat suboptimal as it splits the > mechanism string in pieces just after the caller has combined them > into a string ... It might be better to pass an array of mechanisms > to "send_sasl_auth" in the first place. > > Anyways, with with patches in place I was able to authenticate > against jabberd2 2.2.4 with GSSAPI.

Thanks for the patches! I'll probably just apply the second one (the changes in send_sasl_auth) and look a bit more into GSSAPI authentication. The first one I'll probably fix differently. The fix will go into the next release, but I can't say yet when that will be :) Greetings, Robin

Wed Jan 07 04:45:26 2009 elmex [...] ta-sa.org - Given to ELMEX

Wed Jan 07 04:54:13 2009 andi [...] collax.com - Correspondence added

Subject:	Re: [rt.cpan.org #42194] Domain vs. host and GSSAPI
Date:	Wed, 7 Jan 2009 10:53:56 +0100
To:	bug-AnyEvent-XMPP [...] rt.cpan.org
From:	Andreas Hofmeister <andi [...] collax.com>

Am 07.01.2009 um 10:45 schrieb Robin Redeker via RT: Show quoted text

> > Thanks for the patches! I'll probably just apply the second > one (the changes in send_sasl_auth) and look a bit more into > GSSAPI authentication. > > The first one I'll probably fix differently.

Very well. Just be aware of the pitfall that you really need to pass the actual host (not the domain) to "$sasl->client_new" to get GSSAPI working. Ciao Andi

Wed Jan 14 17:28:27 2009 elmex [...] ta-sa.org - Correspondence added

Hi! On Wed Jan 07 04:54:13 2009, andi@collax.com wrote: Show quoted text

> > Am 07.01.2009 um 10:45 schrieb Robin Redeker via RT: >

> > > > Thanks for the patches! I'll probably just apply the second > > one (the changes in send_sasl_auth) and look a bit more into > > GSSAPI authentication. > > > > The first one I'll probably fix differently.

> > Very well. Just be aware of the pitfall that you really need to pass > the actual host (not the domain) to "$sasl->client_new" to get GSSAPI > working. > > Ciao > Andi >

I've mostly applied your patches and fixed the bugs with passing the hostnames correctly now. But I'm still kind of puzzled about the 'actual' host. I asked around, and one of the XMPP people told me that I'll have to use the hostname returned by the SRV lookup (or, when one specified a hostname himself, that hostname, as you said). I'll try to setup an environment for testing authenticating via Kerberos when I find the time. For now I'll pass the hostname as you suggest, but for the future I'll need to figure out a way to get the SRV looked up hostname. I'll leave the ticket open until I tested this.

Wed Jan 14 17:55:05 2009 elmex [...] ta-sa.org - Correspondence added

On Wed Jan 07 04:54:13 2009, andi@collax.com wrote: Show quoted text

> > Am 07.01.2009 um 10:45 schrieb Robin Redeker via RT: >

> > > > Thanks for the patches! I'll probably just apply the second > > one (the changes in send_sasl_auth) and look a bit more into > > GSSAPI authentication. > > > > The first one I'll probably fix differently.

> > Very well. Just be aware of the pitfall that you really need to pass > the actual host (not the domain) to "$sasl->client_new" to get GSSAPI > working. > > Ciao > Andi >

I thought a bit longer about this. Why do i have to pass the host which was used to override the domain in the JID? Sometimes the 'host' which was specified to override is not even a hostname (but an IP). And I thought one wants to authenticate as node@domain?

Wed Jan 14 20:14:10 2009 andi [...] collax.com - Correspondence added

Subject:	Re: [rt.cpan.org #42194] Domain vs. host and GSSAPI
Date:	Thu, 15 Jan 2009 02:13:42 +0100
To:	bug-AnyEvent-XMPP [...] rt.cpan.org
From:	Andreas Hofmeister <andi [...] collax.com>

Am 14.01.2009 um 23:55 schrieb Robin Redeker via RT: Show quoted text

> > I thought a bit longer about this. Why do i have to pass the > host which was used to override the domain in the JID?

The domain part in the JID and the host you connect to are not actually related. It is very well possible that the XMPP domain 'example.com' is hosted by 'somehost.big-isp.net'. Nevertheless, remember that when you connect another host, deep down you use IP the address to connect the host, not the name. (which is yet another level of illusion, as the medium over which the connection is made, uses yet another kind of addressing, MAC addresses on Ethernet for example). Show quoted text

> Sometimes the 'host' which was specified to override is not even > a hostname (but an IP). And I thought one wants to > authenticate as node@domain?

You still pass 'node@domain' to the host you connect to. It is the job of the server to figure out that 'node@domain' belongs to its own namespace. When you use Kerberos authentication, the jid you passed to the server does not even need to be related to the identity you use for authentication, as the identity is taken from the ticket passed to the server. The server then figure out that the Kerberos identity 'user@EXAMPLE.COM' is in fact valid for the JID 'user@example.com'. In theory, similar is true for other SASL mechanisms. When you pass 'user@example.com' as identity, the server may choose to just use the whole string as the user id, or it may choose to use 'example.com' as an authentication realm for SASL, or even just ignore the domain part altogether. Summary: the assumption host == JID domain == SASL realm does not hold, so what one needs is a mapping between those domains. The mapping JID => authentication ID, it seems to be a common praxis to use the JID as the authentication ID for those mechanisms that actually need one. None of the clients I've seen so far do it different. However, keeping them distinct internally may be a good idea. DNS-SRV records provide the mapping from JID domain to the host to connect. I would suggest this algorithm 1. when the user explicitly specified a host, just use it. 2. look for SRV records for the domain-part of the JID. When found, use the best one (Net::DNS has a method and an example for this). 3. try to lookup the JID-domain as an IP-Address, when found use it. 4. give up. Using the SRV records over the domain-as-a-host catches the case of domains having catch-all DNS records. Hope that helps, Ciao Andi

Thu Jan 15 04:38:13 2009 elmex [...] ta-sa.org - Correspondence added

Subject:	Re: [rt.cpan.org #42194] Domain vs. host and GSSAPI
Date:	Thu, 15 Jan 2009 10:37:48 +0100
To:	Andreas Hofmeister via RT <bug-AnyEvent-XMPP [...] rt.cpan.org>
From:	Robin Redeker <elmex [...] ta-sa.org>

On Wed, Jan 14, 2009 at 08:14:12PM -0500, Andreas Hofmeister via RT wrote: Show quoted text

> Queue: AnyEvent-XMPP > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=42194 > > > > Am 14.01.2009 um 23:55 schrieb Robin Redeker via RT:

> > > > I thought a bit longer about this. Why do i have to pass the > > host which was used to override the domain in the JID?

> > The domain part in the JID and the host you connect to are not > actually related. It is very well possible that the XMPP domain > 'example.com' is hosted by 'somehost.big-isp.net'.

Yes, an I don't know about the internal redirections they do, or the SRV stuff they do, somehost.big-isp.net should just know that it hosts example.com. Show quoted text

> Nevertheless, remember that when you connect another host, deep down > you use IP the address to connect the host, not the name.

I'm well aware of that. The 'host' parameter the user can pass to override the TCP endpoint we are going to connect to doesn't even have to be a hostname, it could be an IP aswell. Show quoted text

> > Sometimes the 'host' which was specified to override is not even > > a hostname (but an IP). And I thought one wants to > > authenticate as node@domain?

> > You still pass 'node@domain' to the host you connect to. It is the > job of the server to figure out that 'node@domain' belongs to its own > namespace. > > When you use Kerberos authentication, the jid you passed to the > server does not even need to be related to the identity you use for > authentication, as the identity is taken from the ticket passed to > the server. The server then figure out that the Kerberos identity > 'user@EXAMPLE.COM' is in fact valid for the JID 'user@example.com'.

Yes, sounds like I thought. And why do I have to pass the override parameter for connecting the TCP endpoint as realm? This scenario: user@example.com wants to override all SRV lookup related stuff and specifies the 'host' foobar.com and the port 5222 to connect to. He knows that it's the right server. It's still the domain 'example.com' which we authenticate for, if the user wanted to authenticate as user@foobar.com he should have specified the correct JID. The TCP endpoint, as you said, is unrelated to authentication, so why should I pass it? Show quoted text

> In theory, similar is true for other SASL mechanisms. When you pass > 'user@example.com' as identity, the server may choose to just use the > whole string as the user id, or it may choose to use 'example.com' as > an authentication realm for SASL, or even just ignore the domain part > altogether.

Yep. Show quoted text

> Summary: the assumption host == JID domain == SASL realm does not > hold, so what one needs is a mapping between those domains.

Yes, and that mapping is on the host I connect to. He knows the best which JID domains he is responsible for. Show quoted text

> The mapping JID => authentication ID, it seems to be a common praxis > to use the JID as the authentication ID for those mechanisms that > actually need one. None of the clients I've seen so far do it > different. However, keeping them distinct internally may be a good idea. > > DNS-SRV records provide the mapping from JID domain to the host to > connect. I would suggest this algorithm

SRV records may even hold a mapping of JID domain to an IP address directly. Show quoted text

> 1. when the user explicitly specified a host, just use it. > 2. look for SRV records for the domain-part of the JID. When found, > use the best one (Net::DNS has a method and an example for this). > 3. try to lookup the JID-domain as an IP-Address, when found use it. > 4. give up.

Currently it's like this: 1. If the 'host' parameter is given, may it an IP or a hostname, use it to make the TCP connect. But for all authentication issues use the JID domain. 2. When no 'host' parameter is used, and the 'port' parameter contains 'xmpp-client', do a SRV lookup and as the SRV rfc says try to connect to the returned endpoints until it succeeds. When connected, do authentication issues by the JID domain. Show quoted text

> Using the SRV records over the domain-as-a-host catches the case of > domains having catch-all DNS records. > > Hope that helps,

It helps to clear up my mind and find the right solution, I hope :) Thanks, Robin -- Robin Redeker | Deliantra, the free code+content MORPG elmex@ta-sa.org / r.redeker@gmail.com | http://www.deliantra.net http://www.ta-sa.org/ |

Thu Jan 15 06:23:59 2009 elmex [...] ta-sa.org - Correspondence added

I've been reading further into SASL. It seems like you are right and the hostname of the TCP endpoint needs to be determined and passed to the SASL/GSSAPI mechanism. Like said in RFC 2078: This name type is used to represent services associated with host computers. This name form is constructed using two elements, "service" and "hostname", as follows: service@hostname When a reference to a name of this type is resolved, the "hostname" is canonicalized by attempting a DNS lookup and using the fully- qualified domain name which is returned, or by using the "hostname" as provided if the DNS lookup fails. The canonicalization operation also maps the host's name into lower-case characters. That means I'll have to determine the hostname first anyways, and can't just pass the override 'host' parameter (as it might contain an IP, but I could of course just leave that up to the user, to specify the right hostname :-). And in case of DNS-SRV lookup I will need to pass the actual hostname that was used for connecting. That means that this hostname has nothing to do with the actual authentication identity. Thanks! Robin

Thu Jan 15 11:10:28 2009 elmex [...] ta-sa.org - Correspondence added

After discussing this further, it's just not specified which hostname should be used as the hostname of the service. SRV records just change the destination of the service. Like: "Service 'jabber.org' is at 'hermes.jabber.org'". Which would mean that I still have to pass 'jabber.org' as service hostname.

Thu Jan 15 12:24:40 2009 elmex [...] ta-sa.org - Correspondence added

On Thu Jan 15 11:10:28 2009, ELMEX wrote: Show quoted text

> After discussing this further, it's just not specified which hostname > should be used as the hostname of the service. > > SRV records just change the destination of the service. > Like: "Service 'jabber.org' is at 'hermes.jabber.org'". > Which would mean that I still have to pass 'jabber.org' as service

hostname. I've discussed this matter with some on jdev@. It seems to me that GSSAPI is a quite special setup. I'll set the status to resolved for now, as the main issue of bad parameter passing is resolved for now. If this module is to be used in a GSSAPI deployment the hostname can always be given explicitly by the 'host' parameter of AnyEvent::XMPP::Connection, as that host will be passed on to the SASL mechanism. This will not work w.r.t. redirections done by DNS SRV lookups, as they currently are done on a different layer, and I'm currently not willing to reimplement the DNS SRV logic just for GSSAPI - patches are always welcome of course. Greetings, Robin

Thu Jan 15 12:24:41 2009 elmex [...] ta-sa.org - Status changed from 'open' to 'resolved'