Bug 3794 – GSSAPI delegation always generates 512 bit keys

Bug 3794 - GSSAPI delegation always generates 512 bit keys

Summary:

GSSAPI delegation always generates 512 bit keys

Status:	RESOLVED FIXED

Product:	GSI C
Component:	Authentication
Version:	4.0.1
Platform:	All All

Importance:	P3 normal
Target Milestone:	---
Assigned To:	Raj Kettimuthu

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2005-09-29 15:41 by Jim Basney
Modified:	2008-08-11 15:19 (History)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note

You need to log in before you can comment on or make changes to this bug.

Description From Jim Basney 2005-09-29 15:41:44

This issue was raised in a GSI-OpenSSH bug report from Keith Thompson
(http://bugzilla.ncsa.uiuc.edu/show_bug.cgi?id=268).  When delegating
proxy credentials, gss_accept_sec_context() and
gss_accept_delegation() always generate 512 bit keys, no matter the
key size of the source credentials.  I agree with Keith that the key
size on delegation should match the key size of the source
credentials.  He provided the following example in his bug report:

elmak% grid-proxy-init -bits 1024
Your identity: /C=US/O=SDSC/OU=SDSC/CN=Keith Thompson/USERID=kst
Enter GRID pass phrase for this identity:
Creating proxy ........................... Done
Your proxy is valid until: Fri Sep  9 11:40:59 2005
elmak% ssh -V
OpenSSH_3.7.1p2 NCSA_GSSAPI_GPT_3.0 GSI, SSH protocols 1.5/2.0, OpenSSL 0.9.6l 
04 Nov 2003
elmak% ssh tg-login1.ncsa.teragrid.org
Last login: Thu Sep  8 17:38:36 2005 from elmak.sdsc.edu
[snip /etc/motd]
tg-login1% grid-proxy-info -all
subject  : /C=US/O=SDSC/OU=SDSC/CN=Keith Thompson/USERID=kst/CN=proxy/CN=proxy
issuer   : /C=US/O=SDSC/OU=SDSC/CN=Keith Thompson/USERID=kst/CN=proxy
identity : /C=US/O=SDSC/OU=SDSC/CN=Keith Thompson/USERID=kst
type     : full legacy globus proxy
strength : 512 bits
path     : /tmp/x509up_p12441.filebYHJ0p.1
timeleft : 11:59:30

------- Comment #1 From Rachana Ananthakrishnan 2005-10-17 11:14:39 -------

Tested Java components and delegation strength is set based on source of 
credentials. I am reassigning it to Raj to check the C side of things.

------- Comment #2 From Raj Kettimuthu 2005-10-20 18:49:58 -------

On the C side, a delegation strength of 512 bits (default) is used irrespective
of the key bits in the 
source credential. Right now, I do not see a way to get the key_bits value of
the peer's credential in 
gss_accept_sec_context (). Might have to add a new credential attribute to fix
this issue.

------- Comment #3 From Raj Kettimuthu 2005-10-26 19:57:24 -------

Fix has been committed to trunk and 4.0 branch.