Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

"You shouldn't make my toaster angry." -- Household security explained in "Johnny Quest"

devel / comp.protocols.kerberos / Re: RFC 4121 & acceptor subkey use in MIC token generation

SubjectAuthor
o Re: RFC 4121 & acceptor subkey use in MIC token generationJeffrey Hutzelman

1
Re: RFC 4121 & acceptor subkey use in MIC token generation

<mailman.25.1698350369.2263420.kerberos@mit.edu>

  copy mid

https://www.novabbs.com/devel/article-flat.php?id=401&group=comp.protocols.kerberos#401

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: jhu...@cmu.edu (Jeffrey Hutzelman)
Newsgroups: comp.protocols.kerberos
Subject: Re: RFC 4121 & acceptor subkey use in MIC token generation
Date: Thu, 26 Oct 2023 15:58:57 -0400
Organization: TNet Consulting
Lines: 38
Message-ID: <mailman.25.1698350369.2263420.kerberos@mit.edu>
References: <3db2752e-565e-1f64-b354-9031a2fe9334@mit.edu>
<ZTiT0ub2uv5A/b4E@ubby21>
<202310251251.39PCpTqc026799@hedwig.cmf.nrl.navy.mil>
<ZTk62q0DIAZmW0eL@ubby21>
<CALF+FNwtDrQ0d+a=zsXyiYq6rhOiXXkqoxUnscwum0Q0wchLJQ@mail.gmail.com>
<202310261741.39QHfgIl030099@hedwig.cmf.nrl.navy.mil>
<ZTqtQYPlzdpQGyr+@ubby21>
<202310261827.39QIRu4Q000307@hedwig.cmf.nrl.navy.mil>
<ZTqw9+Etcwo8SqR4@ubby21>
<202310261838.39QIcl16000930@hedwig.cmf.nrl.navy.mil>
<ZTrAlh0a/+Vq5P4f@ubby21>
<CALF+FNxK2mrQFg_bKnBHoZFxg9B4pKRzzV9NqP1+rm0LbWLbAQ@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="6270"; mail-complaints-to="newsmaster@tnetconsulting.net"
Cc: Ken Hornstein <kenh@cmf.nrl.navy.mil>, kerberos@mit.edu
To: Nico Williams <nico@cryptonector.com>
DKIM-Filter: OpenDKIM Filter v2.11.0 unknown-host (unknown-jobid)
Authentication-Results: mailman.mit.edu;
dkim=pass (1024-bit key, unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=OSBQhDCi;
dkim=pass (2048-bit key,
unprotected) header.d=cmu.edu header.i=@cmu.edu header.a=rsa-sha256
header.s=google-2021 header.b=byRUVeXX
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=c38sMDeoVsiZe4RCPMRYgUFAmtrtjqgDRYrqsAJpj7Z3cUQdnlui7teV+pP8Kvrd+Pfca4Fv6iDdc0wDWo69janyx7Bq/ZYplRrHhg4PqYUZ0wXG2Kfh8Y3h5eZ6eal0Kp0wBLM6Vdgn6A4/aDHkiB43uEoG3BZcVxUp+fxN5IQgeiXGIERFWbkoQxJdv6fqY9Rj1PP+Gjlrl3g9qGqKutfr7wfobz263j7yEA6H6Tp0AB6sJFumr7o42ooXzOqYrg7abuCUv7VerUYbyUdvtRZkMxd3CWzD3iJfGPo4RvF7QRVVhx94+fcVXRr95x4f6B3z+olaRJgkSWZGmTHREA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=aPxzCx1SzXmaYCBkpB410TUILEpVrF/35fObbpJc/fY=;
b=O6pItYQnxz8w3m3Tdryg7r1ICNeK6/IoOGAeAJY3GE+E/ouepVKmkI+nXqVanJKIXsKs13IEvNse6ejB7odMIbfBtPz1AHFSUt5KK92GDtSZRGkwH+N/wlK3s5Hdxemr2Z1NNS+I/uttho99ikdbOqa6KbV5WYh+wuh4w7oW+/Yfxmo252O1xa3znQ/W6f2hTJNRV9x9dUCmKT6U6SASmPB5lRLUPLNnI56A6nI6FsQw9XhC5gTr76hiUMuTWrouWfL0bAtKZY9bzJlynZlaI7HGj/w9LhoHSVpzHaftjchYaPoqAQgU/ke1J+bOVkkabR+wt/dL/fbHrRvnBEJBXg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
209.85.219.50) smtp.rcpttodomain=mit.edu smtp.mailfrom=andrew.cmu.edu;
dmarc=pass (p=none sp=none pct=100) action=none header.from=cmu.edu;
dkim=pass (signature was verified) header.d=cmu.edu; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=aPxzCx1SzXmaYCBkpB410TUILEpVrF/35fObbpJc/fY=;
b=OSBQhDCizAqubTW49dxXzyWJH4EWjQ4orzRm7AXHK71bN4IA+Bvi6zKbAQGqp5gjqlJBwInCzeoic5XWwYtF/suFQP5DX/xW7WS6gkTGOgKMVFsK8295R+al1Pwil4bxNuFgsPrP4/gl0Ts+q2hrJkVmgpkKmHEItjdQ6XZFx04=
Authentication-Results: spf=pass (sender IP is 209.85.219.50)
smtp.mailfrom=andrew.cmu.edu; dkim=pass (signature was verified)
header.d=cmu.edu;dmarc=pass action=none header.from=cmu.edu;
Received-SPF: Pass (protection.outlook.com: domain of andrew.cmu.edu
designates 209.85.219.50 as permitted sender)
receiver=protection.outlook.com; client-ip=209.85.219.50;
helo=mail-qv1-f50.google.com; pr=C
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=cmu.edu; s=google-2021; t=1698350349; x=1698955149; darn=mit.edu;
h=cc:to:subject:message-id:date:from:in-reply-to:references
:mime-version:from:to:cc:subject:date:message-id:reply-to;
bh=aPxzCx1SzXmaYCBkpB410TUILEpVrF/35fObbpJc/fY=;
b=byRUVeXXaPOI76ITAN9IYjvBT+2fpJgPA9VVLOkPO1Uqeso1AQD8gKYM8xAKXTL3A9
HkW8nR2hMgjqSSs2YZOA21dFMm7ZAfsa+JlB4HT19O26urGm4+njMy7hwAJZkkLp+G2U
mc2EkazEJoSFCxUs3GToMka31YLWqmLmGUQNhwDNEFO966ihezwsGAB8BtnIm4hra9g7
wIM/sB527joIAx+WhdZ4iHmzT3bJFXWJEhASukh0V6P15X3VkcIjXwcISf/IKPthuO4i
PW0XZvngj5D3aZVL/A482ckQDdvpHGvd/Z0YVXgXAcAGPU6/d+XaVujUjrOOAWF6RbLx
KzWg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1698350349; x=1698955149;
h=cc:to:subject:message-id:date:from:in-reply-to:references
:mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
:reply-to;
bh=aPxzCx1SzXmaYCBkpB410TUILEpVrF/35fObbpJc/fY=;
b=RSj77bXz9d04N/P+CS1m3eW8kLT2P8qaihhD5Os+xConBy4FtqQ3erFH6G5bsm5RfA
UoH8ln3QkTw7SfHVZR9RPdM6OvicnVaoYBB05zI8rgE20JnhBEQRjlO9dDn3TGlTbtGt
jpvYcANzizOYCMjk7g31ZEXkoTDb53hmWRuNpLfNaYqlVFR97oslDO+wnmNZV8WdVJxh
LPf5+IfgE1iL7yQatCpJYiCsJEnx4L0tzSfch1YQY21eSwjyyhwJUus172bCEtsbkOYp
qa6MsXecEEq49qdQatDUhsV2jhy7bv2vrXqqYx46oNBm1O0vELDFwRnpAEz0kle7Xoqu
EVDw==
X-Gm-Message-State: AOJu0YxOpFdxIZNJ3RmmKVAD3NaxBHAxnaKm3mWtNwcrQYnq6cBA/AsM
oRDzRzG81LEDu20ikPT6QVEbnSiJKWwc0AJsW82jif/BkywwVurapNg=
X-Google-Smtp-Source: AGHT+IEyo4KwnVZA89aYiiTgsJ3S8PCmZSdOmqe572edgffwaX2kkGBrbCCidbTlEYhn6cOxZ3vKUxoeJdWs41FVwxE=
X-Received: by 2002:a05:6214:5185:b0:66d:5ee5:8158 with SMTP id
kl5-20020a056214518500b0066d5ee58158mr730032qvb.55.1698350348836; Thu, 26 Oct
2023 12:59:08 -0700 (PDT)
In-Reply-To: <ZTrAlh0a/+Vq5P4f@ubby21>
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: MN1PEPF0000F0E0:EE_|SJ0PR01MB6269:EE_
X-MS-Office365-Filtering-Correlation-Id: 89ab589c-d2ad-4814-c76a-08dbd65e0495
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: TkJQ3b8qneoktdq7dOD7XeiFwFk+8lXlj9I+Vxjzric3/+e0LlUwSyxkhaCVH+0inwL5kkgfNBZdtRxSrMvVDlMZOe3CotPFmZuIZILY64Dqo0O71tXRLPHOGgNmVHaU2ueJA0+yHUyvbzrMCvVou0/0xgn4dQHzY5GZ29xUiRnnTT/DFw3fXpniG3/+pPu0IGGzl3/lTNYGgsYuU2cX8RdXVsxgVoSu4UMivVlhk9h5st1NgpdsFSiLsU55yGyo1bkGd0sHEb0mUDj3tK/E1QeIhMYQ6274A8fd9tjR2OEU6ulc2S87FJl+XEZEgiIvn1jXkOlszAmtAIO3Soxdese4tzbvSJXp/3DWCxA8857NRxLFy1khK30a73n7GSyXBr75iYC4JVyb/D4P/aedE5lFEhECsRPAzV8VLUW+ALlfHvtFgXRxyL0HKX6xR2qYBOXG0l4xy3sMJXwEj5Qcq9kc2MVV8t4jNNHxf8SS9+/L35Foq5FH9KaGSlBG7CokKvLOnR/Nr6gy68vEv0ak551h4vExzPp2vSDeEC9mc89j3TYV7HNQTckJUhG4U8CN/tyKDzKLfngp/WiYe6QKAGyLehpEPWXfGOfOg6JFY+GFBqs4V6U0D0BRO/HbghgvvvkLg0CPPBDchEL8dDGjb7nRmZaB3v5gmuQ+KcD4KN+h5pasW4ucNwo/yVZdTUVVrLkoAPa2b2t3T3Jv8I9RPw==
X-Forefront-Antispam-Report: CIP:209.85.219.50; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:mail-qv1-f50.google.com; PTR:mail-qv1-f50.google.com;
CAT:NONE;
SFS:(13230031)(4636009)(61400799006)(48200799006)(451199024)(508600001)(33964004)(9686003)(53546011)(7596003)(2906002)(75432002)(83380400001)(316002)(336012)(5660300002)(68406010)(786003)(42186006)(8676002)(6862004)(4326008)(70586007)(55446002)(83170400001)(26005)(7636003)(6666004)(356005);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 Oct 2023 19:59:09.4626 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 89ab589c-d2ad-4814-c76a-08dbd65e0495
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: MN1PEPF0000F0E0.namprd04.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ0PR01MB6269
X-OriginatorOrg: mitprod.onmicrosoft.com
X-Content-Filtered-By: Mailman/MimeDel 2.1.34
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <CALF+FNxK2mrQFg_bKnBHoZFxg9B4pKRzzV9NqP1+rm0LbWLbAQ@mail.gmail.com>
X-Mailman-Original-References: <3db2752e-565e-1f64-b354-9031a2fe9334@mit.edu>
<ZTiT0ub2uv5A/b4E@ubby21>
<202310251251.39PCpTqc026799@hedwig.cmf.nrl.navy.mil>
<ZTk62q0DIAZmW0eL@ubby21>
<CALF+FNwtDrQ0d+a=zsXyiYq6rhOiXXkqoxUnscwum0Q0wchLJQ@mail.gmail.com>
<202310261741.39QHfgIl030099@hedwig.cmf.nrl.navy.mil>
<ZTqtQYPlzdpQGyr+@ubby21>
<202310261827.39QIRu4Q000307@hedwig.cmf.nrl.navy.mil>
<ZTqw9+Etcwo8SqR4@ubby21>
<202310261838.39QIcl16000930@hedwig.cmf.nrl.navy.mil>
<ZTrAlh0a/+Vq5P4f@ubby21>
 by: Jeffrey Hutzelman - Thu, 26 Oct 2023 19:58 UTC

On Thu, Oct 26, 2023 at 3:41 PM Nico Williams <nico@cryptonector.com> wrote:

>
> So what can you do? Well, you could build an online kerberized CA that
> vends short-lived OpenSSH-style certificates, then use that for SSH.
>

OpenSSH apparently does not support X.509 certificates because they believe
there is too much complexity. This is roughly the same problem we had with
getting GSS support into OpenSSH -- they are afraid of security technology
they didn't invent.

This is truly unfortunate, because we already have an onlike Kerberized CA
that vends short-lived X.509 certificates

> Perhaps you'll find that easier to do than to send a PR for hard-coding
> mechanism OID->name mappings, and even if not, you may find it better
> for the long term anyways because it's fewer patches to maintain.
>
> Though credential delegation becomes hairy since all you can do then is
> ssh-agent forwarding, and if you need Kerberos credentials on the target
> end well, you won't get them unless you build yet another bridge where
> you have your online kerberized CA vend certificates for use with PKINIT
> so that you can kinit w/ PKINIT using a private key accessed over the
> forwarded ssh-agent.
>

The problem with this, of course, is that one must be careful not to permit
credentials to be renewed indefinitely by simply having the KDC and KCA
repeatedly issue new credentials. Fortunately, kx509 is careful not to
issue certificates valid past the ticket lifetime, and I believe compliant
PKINIT implementations don't issue tickets valid past the certificate "Not
After" time.

-- Jeff

1
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor