all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
* [bug#34632] GSS development status
       [not found] <87o968i9gh.fsf@gmail.com>
@ 2022-08-06 14:02 ` help-gss--- via
  2022-08-10  0:48   ` Maxim Cournoyer
  0 siblings, 1 reply; 2+ messages in thread
From: help-gss--- via @ 2022-08-06 14:02 UTC (permalink / raw)
  To: Maxim Cournoyer; +Cc: 34632, help-gss

[-- Attachment #1: Type: text/plain, Size: 1981 bytes --]

Maxim Cournoyer <maxim.cournoyer@gmail.com> writes:

> Hello,
>
> I'd like to inquire about the development status of GSS? Has it left the
> beta status? Are bugs still being fixed? Is there any known or presumed
> security issues when using GSS rather than its more mainstream
> implementation in MIT Kerberos?
>
> I'm asking because the GNU Guix project is considering a switch from GNU
> GSS to MIT krb5 for security reasons [0], given that no new releases have
> been made since 2014.
>
> Thank you,
>
> Maxim Cournoyer
>
> [0]  http://issues.guix.info/issue/34632

Hi Maxim,

Sorry for the slow response, which may in part be an answer to your
question.  However I have just released GNU GSS version 1.0.4 to refresh
the project, and have setup CI/CD checking of it to pave the road for
future improvements.  To my knowledge there are only two major missing
features:

  1) Missing gss_wrap() AES functionality.  This prevents SASL GSS-API
     to complete on modern machines.  Shishi supports AES and GSSLib
     supports it for GSS_Init_sec_context etc but not GSS_wrap.

  2) Shishi doesn't use the same ccache/keytab files as MIT Kerberos and
     Heimdal.

I hope to complete 1) in the future.  For 2), fixing it would be a GNU
Shishi feature that should be simple to resolve -- it ships with tools
ccache2shishi and keytab2shishi to convert the files, but that should be
done automatically internally by the library instead.

Indeed getting these enrolled in the OSS Fuzz project would be a great
contribution.  My primary goal is to do a new release of GNU Shishi and
improve the CI/CD integration checks to have good confidence in future
changes.

Regarding what 'gsasl' and 'curl' should be linked against in GNU Guix,
I believe it would be much nicer if you would use the 'Libgssglue'
package instead!  Then the user can change GSS-API library at run-time.
Read about this work here:

https://blog.josefsson.org/2022/07/14/towards-pluggable-gss-api-modules/

/Simon

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 255 bytes --]

^ permalink raw reply	[flat|nested] 2+ messages in thread

* [bug#34632] GSS development status
  2022-08-06 14:02 ` [bug#34632] GSS development status help-gss--- via
@ 2022-08-10  0:48   ` Maxim Cournoyer
  0 siblings, 0 replies; 2+ messages in thread
From: Maxim Cournoyer @ 2022-08-10  0:48 UTC (permalink / raw)
  To: Simon Josefsson; +Cc: 34632, help-gss

Hi Simon,

Simon Josefsson <simon@josefsson.org> writes:

> Maxim Cournoyer <maxim.cournoyer@gmail.com> writes:
>
>> Hello,
>>
>> I'd like to inquire about the development status of GSS? Has it left the
>> beta status? Are bugs still being fixed? Is there any known or presumed
>> security issues when using GSS rather than its more mainstream
>> implementation in MIT Kerberos?
>>
>> I'm asking because the GNU Guix project is considering a switch from GNU
>> GSS to MIT krb5 for security reasons [0], given that no new releases have
>> been made since 2014.
>>
>> Thank you,
>>
>> Maxim Cournoyer
>>
>> [0]  http://issues.guix.info/issue/34632
>
> Hi Maxim,
>
> Sorry for the slow response, which may in part be an answer to your
> question.  However I have just released GNU GSS version 1.0.4 to refresh
> the project, and have setup CI/CD checking of it to pave the road for
> future improvements.  To my knowledge there are only two major missing
> features:
>
>   1) Missing gss_wrap() AES functionality.  This prevents SASL GSS-API
>      to complete on modern machines.  Shishi supports AES and GSSLib
>      supports it for GSS_Init_sec_context etc but not GSS_wrap.
>
>   2) Shishi doesn't use the same ccache/keytab files as MIT Kerberos and
>      Heimdal.
>
> I hope to complete 1) in the future.  For 2), fixing it would be a GNU
> Shishi feature that should be simple to resolve -- it ships with tools
> ccache2shishi and keytab2shishi to convert the files, but that should be
> done automatically internally by the library instead.
>
> Indeed getting these enrolled in the OSS Fuzz project would be a great
> contribution.  My primary goal is to do a new release of GNU Shishi and
> improve the CI/CD integration checks to have good confidence in future
> changes.
>
> Regarding what 'gsasl' and 'curl' should be linked against in GNU Guix,
> I believe it would be much nicer if you would use the 'Libgssglue'
> package instead!  Then the user can change GSS-API library at run-time.
> Read about this work here:
>
> https://blog.josefsson.org/2022/07/14/towards-pluggable-gss-api-modules/

Thank you for this update!  I'm happy to read you are picking up
maintenance of GSS.  The libgssglue is interesting... I'll have to read
about it to know how it's intended to be used.

Thanks, and long live GNU GSS!

Maxim




^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2022-08-10  0:49 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <87o968i9gh.fsf@gmail.com>
2022-08-06 14:02 ` [bug#34632] GSS development status help-gss--- via
2022-08-10  0:48   ` Maxim Cournoyer

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.