Re: [Qemu-devel] PATCH: 6/9: Add SASL authentication support

[John Haxby <john.haxby@oracle.com>]

Daniel P. Berrange wrote:
> On Thu, Feb 26, 2009 at 11:56:24AM +0000, Daniel P. Berrange wrote:
>   
>> diff -r 0eb0b12c0673 vnc-auth-sasl.c
>> --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
>> +++ b/vnc-auth-sasl.c	Mon Feb 23 13:40:03 2009 +0000
>> +
>> +#include "vnc.h"
>> +
>> +/* Max amount of data we send/recv for SASL steps to prevent DOS */
>> +#define SASL_DATA_MAX_LEN (1024 * 1024)
>> +
>>     
>
>
> FYI, last time I posted this series, a question was raised about whether
> this limit is large enough for Windows Kerberos tickets with lots of
> groups. I've done a little googling and found this MicroSoft technote
>
> http://technet.microsoft.com/en-us/library/cc756101.aspx
>
>   "Recommended Maximum Kerberos Settings
>
>   The maximum recommended size for a Kerberos ticket is 65,535 bytes, 
>   which is configured through the MaxTokenSize REG_DWORD value in the 
>   registry (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Lsa\Kerberos\Parameters).
>   Increasing this value from the default may cause errors, particularly
>   when Web browsers or Web servers are used. "
>
> Given that Microsoft recommends a max size of 65,535 bytes I think we
> should be OK with this 1MB limit on a SASL auth step. In any case this
> is only a server side sanity check, not a fundamental part of the auth
> protocol definition, so we can easily increase in future should it become
> a problem
>   
If I recall correctly, 1MB was the limit I placed on SASL authentication 
steps a while ago and while we had all kinds of trouble with large 
kerberos tickets from windows machines, it wasn't with SASL.   That code 
has been in production for a few years now.

jch