#7140 Configure DS to use minssf = 128
Opened 6 years ago by simo. Modified 3 years ago

In >= f26 we can use minssf properly as now SASL/GSSAPI exposes levels based on algorithms not a constant 56.


more data from Alexander:

The way we are doing it is by using an inquiry of a mech used by GSSAPI
if gss_inquire_sec_context_by_oid() is available. This is done
transparently in the Cyrus SASL gssapi plugin code.

Both requiressf and limitssf properties of the SASL context are
calculated based on SASL_SSF and SASL_SSF_EXTERNAL properties set by the
SASL application, namely by substracting SASL_SSF_EXTERNAL value out of
SASL_SSF. Since 389-ds does not set SASL_SSF_EXTERNAL at all, it
defaults to 0 and `nsslapd-minssf` is the sole factor here.

Metadata Update from @pvoborni:
- Issue set to the milestone: FreeIPA 4.7

6 years ago

Metadata Update from @rcritten:
- Issue set to the milestone: FreeIPA 4.7.1 (was: FreeIPA 4.7)

5 years ago

FreeIPA 4.7 has been released, moving to FreeIPA 4.7.1 milestone

master:

  • 3509545 Require a minimum SASL security factor of 56

As (discussed)[https://github.com/freeipa/freeipa/pull/3105#issuecomment-488658315] I'll split the original PR in two and keep the part that configured the client to require a strong SSF.

Login to comment on this ticket.

Metadata