From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1Ld0fn-00020l-QT
	for qemu-devel@nongnu.org; Fri, 27 Feb 2009 06:14:31 -0500
Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1Ld0fl-000200-W2
	for qemu-devel@nongnu.org; Fri, 27 Feb 2009 06:14:31 -0500
Received: from [199.232.76.173] (port=60655 helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1Ld0fl-0001zp-O1
	for qemu-devel@nongnu.org; Fri, 27 Feb 2009 06:14:29 -0500
Received: from acsinet11.oracle.com ([141.146.126.233]:27409)
	by monty-python.gnu.org with esmtps
	(TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.60)
	(envelope-from <john.haxby@oracle.com>) id 1Ld0fl-0004k1-BW
	for qemu-devel@nongnu.org; Fri, 27 Feb 2009 06:14:29 -0500
Message-ID: <49A7CB0A.2070801@oracle.com>
Date: Fri, 27 Feb 2009 11:14:18 +0000
From: John Haxby <john.haxby@oracle.com>
MIME-Version: 1.0
Subject: Re: [Qemu-devel] PATCH: 6/9: Add SASL authentication support
References: <20090226113933.GA29854@redhat.com>	<20090226115624.GL22494@redhat.com>
	<20090227104623.GD23877@redhat.com>
In-Reply-To: <20090227104623.GD23877@redhat.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Reply-To: qemu-devel@nongnu.org
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: "Daniel P. Berrange" <berrange@redhat.com>, qemu-devel@nongnu.org

Daniel P. Berrange wrote:
> On Thu, Feb 26, 2009 at 11:56:24AM +0000, Daniel P. Berrange wrote:
>   
>> diff -r 0eb0b12c0673 vnc-auth-sasl.c
>> --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
>> +++ b/vnc-auth-sasl.c	Mon Feb 23 13:40:03 2009 +0000
>> +
>> +#include "vnc.h"
>> +
>> +/* Max amount of data we send/recv for SASL steps to prevent DOS */
>> +#define SASL_DATA_MAX_LEN (1024 * 1024)
>> +
>>     
>
>
> FYI, last time I posted this series, a question was raised about whether
> this limit is large enough for Windows Kerberos tickets with lots of
> groups. I've done a little googling and found this MicroSoft technote
>
> http://technet.microsoft.com/en-us/library/cc756101.aspx
>
>   "Recommended Maximum Kerberos Settings
>
>   The maximum recommended size for a Kerberos ticket is 65,535 bytes, 
>   which is configured through the MaxTokenSize REG_DWORD value in the 
>   registry (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Lsa\Kerberos\Parameters).
>   Increasing this value from the default may cause errors, particularly
>   when Web browsers or Web servers are used. "
>
> Given that Microsoft recommends a max size of 65,535 bytes I think we
> should be OK with this 1MB limit on a SASL auth step. In any case this
> is only a server side sanity check, not a fundamental part of the auth
> protocol definition, so we can easily increase in future should it become
> a problem
>   
If I recall correctly, 1MB was the limit I placed on SASL authentication 
steps a while ago and while we had all kinds of trouble with large 
kerberos tickets from windows machines, it wasn't with SASL.   That code 
has been in production for a few years now.

jch