autofs: Missing support of SCRAM for SASL binds
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
autofs |
New
|
Undecided
|
|||
autofs (Ubuntu) |
Fix Released
|
Undecided
|
Andreas Hasenack | ||
Jammy |
Fix Released
|
Undecided
|
Andreas Hasenack | ||
Kinetic |
Won't Fix
|
Undecided
|
Andreas Hasenack | ||
Lunar |
Fix Released
|
Undecided
|
Andreas Hasenack |
Bug Description
[ Impact ]
autofs currently lacks support for the SCRAM SASL mechanism. The available options are:
- DIGEST-MD5: obsoleted by https:/
- GSSAPI mechanisms: more complex to setup (kerberos-based)
- plain text mechanisms: the usual "password is sent in cleartext over the wire" mechanisms
SCRAM, defined in https:/
This update adds support for SCRAM and a DEP8 test to exercise this mechanism and many others.
[racb] SRU justification for what appears to be a new feature: without SCRAM support, we would have no reasonable recommended authentication left, except for Kerberos which would be an unreasonable ask for users who don't already have Kerberos infrastructure.
[ Test Plan ]
The test plan requires setting up:
- an ldap server that supports SASL SCRAM
- autofs configured to fetch automount maps from that ldap server, using SASL authentication
- a network filesystem to properly test that autofs is using the fetched map to mount the filesystem
This can be a bit involved, and I provide with this update a DEP8 test that sets up the above, and exercises SASL SCRAM and many other SASL mechanisms:
- DIGEST-MD5
- SCRAM-SHA-*
- GSSAPI and GSS-SPNEGO
- NTLM and CRAM-MD5 (see bug #2023595)
In all cases, the automount map is stored in openldap, configured via ACLs to require the specific SASL authentication to access the map information.
The verification of this bug shall be completed if all the autofs DEP8 tests succeed. This will have verified the specific fix for this bug, as well as the "normal" autofs behavior via the other tests.
[ Where problems could occur ]
In terms of behavior, what will change now is that SCRAM-* authentication will work, as long as the credentials are correct.
Some scenarios I can think of:
- credentials were always correct, but due to the bug, the authentication always failed. After the udpate, the authentication will succeed, and different ACLs might apply to the connection on the server side.
- credentials were always INCORRECT, but due to the bug, coupled with ACLs on the server that allowed anonymous searches, the user was unaware of this fact. After the update, the authentication will still fail, and searches will keep working, but now the failure is an incorrect password and the server might record this differently
[ Other Info ]
These two paragraphs below only applied while I was considering fixing #1984073 together with this bug here. THAT IS NO LONGER THE CASE: only this bug, SCRAM, is being fixed now, and #1984073 is marked as won't fix/opinion for the SRU case.
No longer applicable, but left here for history:
"""
It's important to not analyse this fix here in isolation. There is another fix part of this upload which changes the way SASL authentication is handled: https:/
It does not change how SCRAM would be enabled in autofs, but the code path becomes very different in the end.
"""
[ Original Description ]
Most directory services now support the more secure Salted Challenge
Response Authentication Mechanismis (SCRAM) for SASL binding (RFC 5802).
But automount user cannot request use of SCRAM, as automount does not
read user and password credentials for SCRAM mechanisms.
For sys admins that do not want to implement Kerberos based authentication to their directory service using GSSAPI need to rely on DIGEST-MD5, which is regarded as insecure.
Related branches
- git-ubuntu bot: Approve
- Sergio Durigan Junior (community): Approve
- Canonical Server Reporter: Pending requested
-
Diff: 644 lines (+565/-2)7 files modifieddebian/changelog (+156/-0)
debian/control (+2/-1)
debian/patches/ntlm-crammd5-require-credentials.patch (+16/-0)
debian/patches/series (+1/-0)
debian/tests/control (+4/-0)
debian/tests/ldap-map-sasl-auth (+385/-0)
debian/tests/smb-mount (+1/-1)
- Athos Ribeiro (community): Needs Information
- Canonical Server Core Reviewers: Pending requested
- Canonical Server Reporter: Pending requested
-
Diff: 529 lines (+487/-0)6 files modifieddebian/changelog (+14/-0)
debian/patches/autofs-5.1.8-support-SCRAM-for-SASL-binding.patch (+84/-0)
debian/patches/ntlm-crammd5-require-credentials.patch (+16/-0)
debian/patches/series (+2/-0)
debian/tests/control (+4/-0)
debian/tests/ldap-map-sasl-auth (+367/-0)
- Canonical Server Core Reviewers: Pending requested
- Canonical Server Reporter: Pending requested
-
Diff: 530 lines (+488/-0)6 files modifieddebian/changelog (+14/-0)
debian/patches/autofs-5.1.8-support-SCRAM-for-SASL-binding.patch (+84/-0)
debian/patches/ntlm-crammd5-require-credentials.patch (+16/-0)
debian/patches/series (+2/-0)
debian/tests/control (+4/-0)
debian/tests/ldap-map-sasl-auth (+368/-0)
- git-ubuntu bot: Approve
- Bryce Harrington (community): Approve
- Canonical Server Reporter: Pending requested
-
Diff: 1314 lines (+1254/-0)9 files modifieddebian/changelog (+20/-0)
debian/patches/autofs-5.1.8-ldap_sasl_interactive_bind-needs-credentials-for-auto-detection.patch (+118/-0)
debian/patches/autofs-5.1.8-let-OpenLDAP-handle-SASL-binding.patch (+422/-0)
debian/patches/autofs-5.1.8-prepare-for-OpenLDAP-SASL-binding.patch (+221/-0)
debian/patches/autofs-5.1.8-support-SCRAM-for-SASL-binding.patch (+84/-0)
debian/patches/series (+5/-0)
debian/patches/support-external-cc-for-gssapi-bind.patch (+20/-0)
debian/tests/control (+4/-0)
debian/tests/ldap-map-sasl-auth (+360/-0)
Changed in autofs (Ubuntu): | |
assignee: | nobody → Andreas Hasenack (ahasenack) |
Changed in autofs (Ubuntu): | |
status: | Triaged → In Progress |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
Changed in autofs (Ubuntu Jammy): | |
assignee: | nobody → Andreas Hasenack (ahasenack) |
Changed in autofs (Ubuntu Kinetic): | |
assignee: | nobody → Andreas Hasenack (ahasenack) |
Changed in autofs (Ubuntu Lunar): | |
assignee: | nobody → Andreas Hasenack (ahasenack) |
Changed in autofs (Ubuntu Jammy): | |
status: | New → In Progress |
Changed in autofs (Ubuntu Kinetic): | |
status: | New → In Progress |
Changed in autofs (Ubuntu Lunar): | |
status: | New → In Progress |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
Changed in autofs (Ubuntu Kinetic): | |
status: | In Progress → Won't Fix |
Hi rdratlos, thanks for keeping an eye on autofs.
Is this something that can be enabled in the Ubuntu packaging for autofs, or is it more a feature that'd need implemented in autofs itself? If the latter, would this be better to report upstream? Or do you already have thoughts on a fix for it?