[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] PATCH: 6/9: Add SASL authentication support

From: John Haxby
Subject: Re: [Qemu-devel] PATCH: 6/9: Add SASL authentication support
Date: Fri, 27 Feb 2009 11:14:18 +0000
User-agent: Thunderbird (X11/20090105)

Daniel P. Berrange wrote:
On Thu, Feb 26, 2009 at 11:56:24AM +0000, Daniel P. Berrange wrote:
diff -r 0eb0b12c0673 vnc-auth-sasl.c
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/vnc-auth-sasl.c   Mon Feb 23 13:40:03 2009 +0000
+#include "vnc.h"
+/* Max amount of data we send/recv for SASL steps to prevent DOS */
+#define SASL_DATA_MAX_LEN (1024 * 1024)

FYI, last time I posted this series, a question was raised about whether
this limit is large enough for Windows Kerberos tickets with lots of
groups. I've done a little googling and found this MicroSoft technote


  "Recommended Maximum Kerberos Settings

The maximum recommended size for a Kerberos ticket is 65,535 bytes, which is configured through the MaxTokenSize REG_DWORD value in the registry (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Lsa\Kerberos\Parameters).
  Increasing this value from the default may cause errors, particularly
  when Web browsers or Web servers are used. "

Given that Microsoft recommends a max size of 65,535 bytes I think we
should be OK with this 1MB limit on a SASL auth step. In any case this
is only a server side sanity check, not a fundamental part of the auth
protocol definition, so we can easily increase in future should it become
a problem
If I recall correctly, 1MB was the limit I placed on SASL authentication steps a while ago and while we had all kinds of trouble with large kerberos tickets from windows machines, it wasn't with SASL. That code has been in production for a few years now.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]