Bug #58478 for perl-ldap: SASL-related host canonicalisation misfeature

Thu Jun 17 06:46:43 2010 dom [...] cpan.org - Ticket created

Subject:

SASL-related host canonicalisation misfeature

Please see <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=573596> for a full discussion, but it looks like the change introduced in #35263 is horribly broken and should be reverted (sorry).

Thu Jun 17 06:46:56 2010 dom [...] cpan.org - Reference to ticket #35263 added

Thu Jun 17 10:20:42 2010 GBARR [...] CPAN.ORG - Correspondence added

It is not broken. It is that there is more than one way to do it and there are users on both side of the fence. As a result it was change so that the caller call $sasl->client_new and pass the result instead of the sasl object itself. $sasl->client_new('ldap',$hostname); This way the caller has control over what hostname is used. See http://search.cpan.org/~gbarr/perl-ldap-0.4001/lib/Net/LDAP.pod#sasl

Thu Jun 17 10:20:43 2010 The RT System itself - Status changed from 'new' to 'open'

Thu Jun 17 10:20:44 2010 GBARR [...] CPAN.ORG - Status changed from 'open' to 'rejected'

Thu Jun 17 16:57:35 2010 dom [...] earth.li - Correspondence added

CC:	573596 [...] bugs.debian.org, rra [...] debian.org
Subject:	Re: [rt.cpan.org #58478] SASL-related host canonicalisation misfeature
Date:	Thu, 17 Jun 2010 21:57:23 +0100
To:	Graham_Barr via RT <bug-perl-ldap [...] rt.cpan.org>
From:	Dominic Hargreaves <dom [...] earth.li>

[CCing Russ in case I need correcting at any point] On Thu, Jun 17, 2010 at 10:20:43AM -0400, Graham_Barr via RT wrote: Show quoted text

> It is not broken. It is that there is more than one way to do it and there are users on both side of > the fence. > > As a result it was change so that the caller call $sasl->client_new and pass the result instead of > the sasl object itself. > > $sasl->client_new('ldap',$hostname); > > This way the caller has control over what hostname is used.

Hi, I appreciate that the decision on whether to canonicalise is not always obvious and that you support overriding, but I believe that the reported issue with the code still applies in the current version: that peerhost returns a stringified IP address, not any form of actual hostname. Given you've decided to retain the canonicalisation feature, it would surely still be necessary to look up the name of the IP address. Note that the current behaviour happens to work with MIT kerberos but does not work with Heimdal. Dominic. -- Dominic Hargreaves | http://www.larted.org.uk/~dom/ PGP key 5178E2A5 from the.earth.li (keyserver,web,email)

Thu Jun 17 16:57:36 2010 The RT System itself - Status changed from 'rejected' to 'open'

Thu Jun 17 16:59:03 2010 dom [...] earth.li - Correspondence added

CC:	573596 [...] bugs.debian.org, rra [...] debian.org
Subject:	Re: [rt.cpan.org #58478] SASL-related host canonicalisation misfeature
Date:	Thu, 17 Jun 2010 21:58:56 +0100
To:	Graham_Barr via RT <bug-perl-ldap [...] rt.cpan.org>
From:	Dominic Hargreaves <dom [...] earth.li>

On Thu, Jun 17, 2010 at 09:57:23PM +0100, Dominic Hargreaves wrote: Show quoted text

> [CCing Russ in case I need correcting at any point] > > On Thu, Jun 17, 2010 at 10:20:43AM -0400, Graham_Barr via RT wrote:

> > It is not broken. It is that there is more than one way to do it and there are users on both side of > > the fence. > > > > As a result it was change so that the caller call $sasl->client_new and pass the result instead of > > the sasl object itself. > > > > $sasl->client_new('ldap',$hostname); > > > > This way the caller has control over what hostname is used.

> > Hi, > > I appreciate that the decision on whether to canonicalise is not always > obvious and that you support overriding, but I believe that the reported > issue with the code still applies in the current version: that peerhost > returns a stringified IP address, not any form of actual hostname. > > Given you've decided to retain the canonicalisation feature, it would > surely still be necessary to look up the name of the IP address. > > Note that the current behaviour happens to work with MIT kerberos but > does not work with Heimdal.

And just to make explicit, there is a suggested improvement in the Debian BTS: # If we're talking to a round-robin, the canonical name of # the host we are talking to might not match the name we # requested my $connected_ip = $ldap->{net_ldap_socket}->peeraddr; my $connected_domain = $ldap->{net_ldap_socket}->sockdomain; my $connected_name = gethostbyaddr($connected_ip, $connected_domain); $connected_name ||= $ldap->{net_ldap_host}; -- Dominic Hargreaves | http://www.larted.org.uk/~dom/ PGP key 5178E2A5 from the.earth.li (keyserver,web,email)

Fri Jun 18 20:35:44 2010 gbarr [...] pobox.com - Correspondence added

Subject:	Re: [rt.cpan.org #58478] SASL-related host canonicalisation misfeature
Date:	Fri, 18 Jun 2010 17:35:18 -0700
To:	"bug-perl-ldap [...] rt.cpan.org" <bug-perl-ldap [...] rt.cpan.org>
From:	Graham Barr <gbarr [...] pobox.com>

Because there are people which the current code works for and some it does not. There will be upset users either way. The decision has benn made to supply an alternate method to give more control over the API. As a result the existing code will not be changed again.

Sat Jun 19 13:49:58 2010 rra [...] debian.org - Correspondence added

CC:	Graham_Barr via RT <bug-perl-ldap [...] rt.cpan.org>, 573596 [...] bugs.debian.org
Subject:	Re: [rt.cpan.org #58478] SASL-related host canonicalisation misfeature
Date:	Sat, 19 Jun 2010 10:49:49 -0700
To:	Dominic Hargreaves <dom [...] earth.li>
From:	Russ Allbery <rra [...] debian.org>

Dominic Hargreaves <dom@earth.li> writes: Show quoted text

> And just to make explicit, there is a suggested improvement in the > Debian BTS:

Show quoted text

> # If we're talking to a round-robin, the canonical name of > # the host we are talking to might not match the name we > # requested > my $connected_ip = $ldap->{net_ldap_socket}->peeraddr; > my $connected_domain = $ldap->{net_ldap_socket}->sockdomain; > my $connected_name = gethostbyaddr($connected_ip, $connected_domain); > $connected_name ||= $ldap->{net_ldap_host};

Graham, the current code cannot possibly work with Kerberos GSS-API SASL authentications. Here's what it currently says: # If we're talking to a round-robin, the canonical name of # the host we are talking to might not match the name we # requested my $connected_name = $ldap->{net_ldap_socket}->peerhost; $connected_name ||= $ldap->{net_ldap_host}; And from IO::Socket::INET: peerhost () Return the address part of the sockaddr structure for the socket on the peer host in a text form xx.xx.xx.xx You cannot do a Kerberos SASL authentication to an IP address. It will never work; Kerberos doesn't support it. Kerberos requires a hostname. So setting the connected name to an IP address will always, always fail if you're using GSS-API authentication. Right now, everyone who wants to use Net::LDAP with Kerberos GSS-API authentication needs to patch Net::LDAP; otherwise, the module is completely unusable if that's the required authentication mechanism. -- Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>

Sat Jun 19 14:00:29 2010 rra [...] debian.org - Correspondence added

CC:	Dominic Hargreaves <dom [...] earth.li>, Graham_Barr via RT <bug-perl-ldap [...] rt.cpan.org>
Subject:	Re: Bug#573596: [rt.cpan.org #58478] SASL-related host canonicalisation misfeature
Date:	Sat, 19 Jun 2010 11:00:18 -0700
To:	573596 [...] bugs.debian.org
From:	Russ Allbery <rra [...] debian.org>

Russ Allbery <rra@debian.org> writes: Show quoted text

> Dominic Hargreaves <dom@earth.li> writes:

Show quoted text

>> And just to make explicit, there is a suggested improvement in the >> Debian BTS:

Show quoted text

>> # If we're talking to a round-robin, the canonical name of >> # the host we are talking to might not match the name we >> # requested >> my $connected_ip = $ldap->{net_ldap_socket}->peeraddr; >> my $connected_domain = $ldap->{net_ldap_socket}->sockdomain; >> my $connected_name = gethostbyaddr($connected_ip, $connected_domain); >> $connected_name ||= $ldap->{net_ldap_host};

Show quoted text

> Graham, the current code cannot possibly work with Kerberos GSS-API SASL > authentications. Here's what it currently says:

Show quoted text

> # If we're talking to a round-robin, the canonical name of > # the host we are talking to might not match the name we > # requested > my $connected_name = $ldap->{net_ldap_socket}->peerhost; > $connected_name ||= $ldap->{net_ldap_host};

Show quoted text

> And from IO::Socket::INET:

Show quoted text

> peerhost () > Return the address part of the sockaddr structure for the socket on > the peer host in a text form xx.xx.xx.xx

Show quoted text

> You cannot do a Kerberos SASL authentication to an IP address. It will > never work; Kerberos doesn't support it. Kerberos requires a hostname. > So setting the connected name to an IP address will always, always fail if > you're using GSS-API authentication.

I reviewed the rest of the bug log and now I remember the rest of the situation. The reason why you may not have seen this in previous testing is that apparently some versions of the MIT Kerberos library, when told to authenticate to an IP address, will under the hood do the work that I suggested in my proposed modification silently for you, canonicalizing the IP address to a hostname. But this is not part of the GSS-API library guarantee and other GSS-API implementations, such as Heimdal, do not do this. Furthermore, MIT doesn't do this always; it only does this if it's told to do DNS canonicalization. So while a Kerberos authentication to an IP address will always fail, I forgot that MIT Kerberos will in some cases fix up this bug for you. It still, however, breaks the module completely for people using Heimdal, which is why we ran into this. (Heimdal is a considerably faster Kerberos implementation for LDAP under most circumstances.) If you want to rely on the DNS canonicalization, you need to do it directly, not assume that the GSS-API library will do it for you, since only some of them will do that and in only some situations. What makes this bug particularly nasty is that, with a GSS-API implementation that doesn't do this lookup for you, there's no way to work around the bug without surgery on the Net::LDAP module. If you really don't believe me that the code is incorrect as written, please at least add some way for the caller to override the remote hostname for SASL authentication so that at least we can work around this bug without having to maintain a forked version of Net::LDAP. -- Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>

Sat Jun 19 14:07:07 2010 rra [...] debian.org - Correspondence added

CC:	Graham_Barr via RT <bug-perl-ldap [...] rt.cpan.org>, Dominic Hargreaves <dom [...] earth.li>
Subject:	Re: Bug#573596: [rt.cpan.org #58478] SASL-related host canonicalisation misfeature
Date:	Sat, 19 Jun 2010 11:06:58 -0700
To:	573596 [...] bugs.debian.org
From:	Russ Allbery <rra [...] debian.org>

Russ Allbery <rra@debian.org> writes: Show quoted text

> What makes this bug particularly nasty is that, with a GSS-API > implementation that doesn't do this lookup for you, there's no way to > work around the bug without surgery on the Net::LDAP module. If you > really don't believe me that the code is incorrect as written, please at > least add some way for the caller to override the remote hostname for > SASL authentication so that at least we can work around this bug without > having to maintain a forked version of Net::LDAP.

Which, of course, is exactly what you did in the first message of this thread. Aie. I'm really sorry about that -- I can only plead that it's been a very long week. That will let us work around the issue, which will be okay. I do still disagree with your decision on the canonicalization code, but that will let us use the module without patching it, which is, at the end of the day, the goal. I'm sorry for not having thought through the entire thread and paid attention before responding further. -- Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>

Mon Jun 28 16:17:10 2010 GBARR [...] CPAN.ORG - Status changed from 'open' to 'resolved'