-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ZMQ_GSSAPI_PRINCIPAL sockopt has no effect on client side #2531
Comments
I can't say I'm familiar with GSSAPI, but the only thing that ZMQ_GSSAPI_PRINCIPAL variable seem to be used for is this call to acquire_credential: https://github.com/zeromq/libzmq/blob/master/src/gssapi_client.cpp#L63 Does it ring a bell? |
Maybe, though I'm also not too familiar. Still I'll have a go :-) According to zmq_gssapi(7) ZMQ_GSSAPI_PRINCIPAL sockopt is supposed to be set on both client and server side. On the client side, the "service_name" arg to According to https://web.mit.edu/kerberos/krb5-1.12/doc/appdev/gssapi.html
Hmm, maybe that's causing If so, a secondary question is: if |
Sorry but again never used this features - if you find any issues and have a fix, given it sounds like you have a way to test them, please do send PRs |
Getting a PR together and still digging through gssapi to grok better, but wanted update status and ask for feedback from @cbusbey if he's still out there? First, it seems that autoconf support for Second, a documentation issue: zmq_gssapi(7) says that ZMQ_GSSAPI_PRINCIPAL must be set on both client and server. It seems to actually be optional; the default principal will be used if it's not set. Finally, ZMQ_GSSAPI_PRINCIPAL on the client side fails when a valid principal is provided because |
Problem: if client sets ZMQ_GSSAPI_PRINCIPAL to a name for which credentials cannot be obtained, authentication proceeds with default credentials. Check whether an error occurred acquiring credentials before proceding to initialize the security context. Fixes zeromq#2531
Problem: if client sets ZMQ_GSSAPI_PRINCIPAL to a name for which credentials cannot be obtained, authentication proceeds with default credentials. Check whether an error occurred acquiring credentials before proceding to initialize the security context. Fixes zeromq#2531
I can still see that ZMQ_GSSAPI_PRINCIPAL has no effect on the client socket... |
Yeah, that is what was fixed here. The fix landed in libzmq-4.2.4. What version of libzmq is clrzmq4 using underneath? (Disclaimer: I am not familiar with that binding). |
Thank you for the answer.... it seems i am using the older version of 4.2.4 |
I am trying to get GSSAPI security working with my application, and indeed seem have it going with libzmq 4.1.4 and czmq 3.0.2. (My compliments to the author for getting this integrated with the libzmq security framework!) However, this one quirk puzzles me:
Setting ZMQ_GSSAPI_PRINCIPAL (e.g. with czmq 3.0.2
zsock_set_gssapi_principal()
seems not to matter on the client end. I can set it to a random string, or not set it all, and authentication still works using the default principal, presumably figured out by the underlying libkrb5. It does not seem possible to influence the choice of principal, even when several are available in the credential cache.This would seem contrary to how @cbusbey's gist indicates it should work.
If anyone else is working with GSSAPI perhaps they can confirm these results, or explain why this is OK. Meanwhile I will try to put together a simple reproducer.
TL;DR downstream issue is flux-framework/flux-core#758
The text was updated successfully, but these errors were encountered: