[SERVER-8641] Allow client to learn the service principal name for authentication purposes from the ismaster command Created: 20/Feb/13 Updated: 10/Dec/14 Resolved: 11/Jul/13 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Improvement | Priority: | Major - P3 |
| Reporter: | Andy Schwerin | Assignee: | Unassigned |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Participants: |
| Description |
|
This is a follow-on to If the server reports both the sasl service name and host name via ismaster, and alter to use the result of ismaster when doing GSSAPI authentication, then GSSAPI could be used for authentication in environments without complete DNS setups. Drivers would need a hook to let the client application decide if it was willing to authenticate to the principal reported by ismaster. However, since security conscious consumers will already be validating the server's SSL certificate, they should already trust the server by the time they're using ismaster to find out its GSSAPI identity. |
| Comments |
| Comment by Andy Schwerin [ 11/Jul/13 ] |
|
Rejected as weakening security properties of mutual authentication. If you ask the server what its name is, rather than deriving its name from the hostname you believe you're connecting to and the service name you expect to find, then you're giving the remote party the opportunity to spoof you, if it has a valid ticket for some other service than the one you expect. |