Bug 3794 - GSSAPI delegation always generates 512 bit keys
: GSSAPI delegation always generates 512 bit keys
Status: RESOLVED FIXED
: GSI C
Authentication
: 4.0.1
: All All
: P3 normal
: ---
Assigned To:
:
:
:
:
  Show dependency treegraph
 
Reported: 2005-09-29 15:41 by
Modified: 2008-08-11 15:19 (History)


Attachments


Note

You need to log in before you can comment on or make changes to this bug.


Description From 2005-09-29 15:41:44
This issue was raised in a GSI-OpenSSH bug report from Keith Thompson
(http://bugzilla.ncsa.uiuc.edu/show_bug.cgi?id=268).  When delegating
proxy credentials, gss_accept_sec_context() and
gss_accept_delegation() always generate 512 bit keys, no matter the
key size of the source credentials.  I agree with Keith that the key
size on delegation should match the key size of the source
credentials.  He provided the following example in his bug report:

elmak% grid-proxy-init -bits 1024
Your identity: /C=US/O=SDSC/OU=SDSC/CN=Keith Thompson/USERID=kst
Enter GRID pass phrase for this identity:
Creating proxy ........................... Done
Your proxy is valid until: Fri Sep  9 11:40:59 2005
elmak% ssh -V
OpenSSH_3.7.1p2 NCSA_GSSAPI_GPT_3.0 GSI, SSH protocols 1.5/2.0, OpenSSL 0.9.6l 
04 Nov 2003
elmak% ssh tg-login1.ncsa.teragrid.org
Last login: Thu Sep  8 17:38:36 2005 from elmak.sdsc.edu
[snip /etc/motd]
tg-login1% grid-proxy-info -all
subject  : /C=US/O=SDSC/OU=SDSC/CN=Keith Thompson/USERID=kst/CN=proxy/CN=proxy
issuer   : /C=US/O=SDSC/OU=SDSC/CN=Keith Thompson/USERID=kst/CN=proxy
identity : /C=US/O=SDSC/OU=SDSC/CN=Keith Thompson/USERID=kst
type     : full legacy globus proxy
strength : 512 bits
path     : /tmp/x509up_p12441.filebYHJ0p.1
timeleft : 11:59:30
------- Comment #1 From 2005-10-17 11:14:39 -------
Tested Java components and delegation strength is set based on source of 
credentials. I am reassigning it to Raj to check the C side of things.
------- Comment #2 From 2005-10-20 18:49:58 -------
On the C side, a delegation strength of 512 bits (default) is used irrespective
of the key bits in the 
source credential. Right now, I do not see a way to get the key_bits value of
the peer's credential in 
gss_accept_sec_context (). Might have to add a new credential attribute to fix
this issue.
------- Comment #3 From 2005-10-26 19:57:24 -------
Fix has been committed to trunk and 4.0 branch.