[SERVER-8641] Allow client to learn the service principal name for authentication purposes from the ismaster command Created: 20/Feb/13  Updated: 10/Dec/14  Resolved: 11/Jul/13

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Major - P3
Reporter: Andy Schwerin Assignee: Unassigned
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Participants:

 Description   

This is a follow-on to SERVER-8479.

If the server reports both the sasl service name and host name via ismaster, and alter to use the result of ismaster when doing GSSAPI authentication, then GSSAPI could be used for authentication in environments without complete DNS setups.

Drivers would need a hook to let the client application decide if it was willing to authenticate to the principal reported by ismaster. However, since security conscious consumers will already be validating the server's SSL certificate, they should already trust the server by the time they're using ismaster to find out its GSSAPI identity.



 Comments   
Comment by Andy Schwerin [ 11/Jul/13 ]

Rejected as weakening security properties of mutual authentication. If you ask the server what its name is, rather than deriving its name from the hostname you believe you're connecting to and the service name you expect to find, then you're giving the remote party the opportunity to spoof you, if it has a valid ticket for some other service than the one you expect.

Generated at Thu Feb 08 03:17:58 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.