Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

IPv6 client addresses handled incorrectly #58

Open
grawity opened this issue Mar 22, 2021 · 2 comments
Open

IPv6 client addresses handled incorrectly #58

grawity opened this issue Mar 22, 2021 · 2 comments

Comments

@grawity
Copy link

grawity commented Mar 22, 2021

When a client requests /v1/auth/kerberos/login via IPv6, the plugin logs a complaint:

[INFO]  auth.kerberos.auth_kerberos_cf8afb18: ::1:8080 - SPNEGO could not parse
client address: invalid format of client address: address ::1:8080: too many colons
in address

[INFO]  auth.kerberos.auth_kerberos_cf8afb18: ::1:8080 [email protected] - SPNEGO
authentication succeeded

(I'm not sure where the :8080 port number comes from.)
@fairclothjm
Copy link
Contributor

@grawity Sorry for the very late response here! It looks like authenticate succeeds, is that correct?

The port comes from here:

vault-plugin-auth-kerberos/path_login.go

Lines 181 to 189 in abd4ef1

// Because the outer application strips off the raw request, we need to
// re-compose it to use this authentication handler. Only the request
// remote addr and headers are used anyways. We use an arbitrary port
// of 8080 because it's not used for anything but logging, but is required
// by an underlying parser.
rebuiltReq := &http.Request{
Header: req.Headers,
RemoteAddr: req.Connection.RemoteAddr + ":8080",
}

I don't believe there is any actual error here.

@grawity
Copy link
Author

grawity commented Oct 28, 2024

@grawity Sorry for the very late response here! It looks like authenticate succeeds, is that correct?

The port comes from here:

vault-plugin-auth-kerberos/path_login.go

Lines 181 to 189 in abd4ef1

// Because the outer application strips off the raw request, we need to
// re-compose it to use this authentication handler. Only the request
// remote addr and headers are used anyways. We use an arbitrary port
// of 8080 because it's not used for anything but logging, but is required
// by an underlying parser.
rebuiltReq := &http.Request{
Header: req.Headers,
RemoteAddr: req.Connection.RemoteAddr + ":8080",
}

I don't believe there is any actual error here.

As I recall, it did succeed, yes, and just logged a warning. (I admit that my Vault usage has been on the backburner for a while.)

But the comment says "...required by an underlying parser", and it seems that said parser attempts to actually parse the address provided, so it would probably be better to give it a valid address either way.

Usually, IPv6 addresses need to be formatted as [addr]:port when combined with a port number, e.g. [::1]:8080 or [2001:db8::42]:8080 and that's most likely what the aforementioned parser is expecting to receive. (I believe it uses net.SplitHostPort() if my golang source search went right.)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@grawity @fairclothjm