Re: [Qemu-devel] PATCH: 6/9: Add SASL authentication support

["Daniel P. Berrange" <berrange@redhat.com>]

On Thu, Feb 26, 2009 at 11:56:24AM +0000, Daniel P. Berrange wrote:
> This patch adds the new SASL authentication protocol to the VNC server.
> 


> diff -r 0eb0b12c0673 vnc-auth-sasl.c
> --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
> +++ b/vnc-auth-sasl.c	Mon Feb 23 13:40:03 2009 +0000
> +
> +#include "vnc.h"
> +
> +/* Max amount of data we send/recv for SASL steps to prevent DOS */
> +#define SASL_DATA_MAX_LEN (1024 * 1024)
> +


FYI, last time I posted this series, a question was raised about whether
this limit is large enough for Windows Kerberos tickets with lots of
groups. I've done a little googling and found this MicroSoft technote

http://technet.microsoft.com/en-us/library/cc756101.aspx

  "Recommended Maximum Kerberos Settings

  The maximum recommended size for a Kerberos ticket is 65,535 bytes, 
  which is configured through the MaxTokenSize REG_DWORD value in the 
  registry (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Lsa\Kerberos\Parameters).
  Increasing this value from the default may cause errors, particularly
  when Web browsers or Web servers are used. "

Given that Microsoft recommends a max size of 65,535 bytes I think we
should be OK with this 1MB limit on a SASL auth step. In any case this
is only a server side sanity check, not a fundamental part of the auth
protocol definition, so we can easily increase in future should it become
a problem

Regards,
Daniel
-- 
|: Red Hat, Engineering, London   -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org  -o-  http://virt-manager.org  -o-  http://ovirt.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-  F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|