Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

Unix soit qui mal y pense [Unix to him who evil thinks?]

devel / comp.protocols.kerberos / Re: RFC 4121 & acceptor subkey use in MIC token generation

SubjectAuthor
o Re: RFC 4121 & acceptor subkey use in MIC token generationSimo Sorce

1
Re: RFC 4121 & acceptor subkey use in MIC token generation

<mailman.36.1698428940.2263420.kerberos@mit.edu>

  copy mid

https://www.novabbs.com/devel/article-flat.php?id=412&group=comp.protocols.kerberos#412

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: sim...@redhat.com (Simo Sorce)
Newsgroups: comp.protocols.kerberos
Subject: Re: RFC 4121 & acceptor subkey use in MIC token generation
Date: Fri, 27 Oct 2023 13:48:26 -0400
Organization: Red Hat
Lines: 78
Message-ID: <mailman.36.1698428940.2263420.kerberos@mit.edu>
References: <202310251251.39PCpTqc026799@hedwig.cmf.nrl.navy.mil>
<ZTk62q0DIAZmW0eL@ubby21>
<CALF+FNwtDrQ0d+a=zsXyiYq6rhOiXXkqoxUnscwum0Q0wchLJQ@mail.gmail.com>
<202310261741.39QHfgIl030099@hedwig.cmf.nrl.navy.mil>
<ZTqtQYPlzdpQGyr+@ubby21>
<202310261827.39QIRu4Q000307@hedwig.cmf.nrl.navy.mil>
<ZTqw9+Etcwo8SqR4@ubby21>
<202310261838.39QIcl16000930@hedwig.cmf.nrl.navy.mil>
<ZTrAlh0a/+Vq5P4f@ubby21>
<202310262110.39QLAdhW010116@hedwig.cmf.nrl.navy.mil>
<ZTraV0714XV7hsxx@ubby21>
<202310262157.39QLvb2C012728@hedwig.cmf.nrl.navy.mil>
<48daa6105af9bb8794a0003e75ad7cd3fdf3c9e4.camel@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="29640"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Evolution 3.46.4 (3.46.4-1.fc37)
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>, kerberos@mit.edu
DKIM-Filter: OpenDKIM Filter v2.11.0 unknown-host (unknown-jobid)
Authentication-Results: mailman.mit.edu;
dkim=pass (1024-bit key, unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=K3TyvUfX;
dkim=pass (1024-bit key,
unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256
header.s=mimecast20190719 header.b=WBPyXJAR
Authentication-Results: mit.edu;
dmarc=pass (p=none dis=none) header.from=redhat.com
Authentication-Results: mit.edu; arc=pass smtp.remote-ip=18.9.3.18
ARC-Seal: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1698428937; cv=pass;
b=Ak4C0B21DdFyITKlRj9aoQGCZBlinKkSMxZyiDAL3/RI4mEGiyJyXe08tGyCfiHT5yUikMJ1YvwVbkPOB7DWOpftg9TT0U1MpWSg/1oS6G1DGz7yb4RsxCqfolha1cZaOR39YZqgUVERxdapOFUFTSamJE+QD+Wyfb1UfYeTbUueshywtj0huGWvoIeEjHaPU/gIY+p/tlN64T6EO2/7ezU7yl9JzPw3z0eJzVLWmuOJuNQOTns5ACc2VYDIPMzOhwMTDJnFo/KJ4H5yXgURaaXq3h1/WdnVVlYYMDFOG/Z5Ewek16+JfnG4tT+Q6bxItH6CH5s/PoQbFaUUdeDcEQ==
ARC-Message-Signature: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1698428937;
c=relaxed/relaxed; bh=Woq3jafKXOOWDmfBnt4wH3BmlPBjfGKSBZ9s3lF/FUk=;
h=Message-ID:Subject:From:Date:MIME-Version:Content-Type;
b=YN3AqgFRiDpKyjrOl8JLsK0/S2tVice8+xdU+6kz493WYvdxGvOm/b3L9gbosDXXXjWVnaZBmU+FwdF4dY8zGUMeil3clDWkC4C74kcGvlu35l22MBAHEGtjLl1Y6M2MOfOs0JYZIXkT+8lpvIX5dA8YDL142nCKbOsRnUTg/1UUthTZtq4oLTdCJRToSE3gYHu1Q9yM32ws93OnBeAyzwWpjpbU7/0OoXLh6TEZdnMpY9povN3HspwGjxb5JOKoK9vsevuFnUPlEXHE/SU0OgKQk5t88EG+WUj9hqNJeghzCSF9sHFs0gtFfIkQ5TBTQju4p5UtAlYrVA2biaVm4Q==
ARC-Authentication-Results: i=2; mit.edu; dkim=pass (1024-bit key;
unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=K3TyvUfX;
dkim=pass (1024-bit key;
unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256
header.s=mimecast20190719 header.b=WBPyXJAR
Authentication-Results: mit.edu; dkim=pass (1024-bit key;
unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=K3TyvUfX;
dkim=pass (1024-bit key;
unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256
header.s=mimecast20190719 header.b=WBPyXJAR
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=UD8mCKyhvO9YMAYzHh/cFImx2Sk7TMoe4R/11VOJjsSbh5+dddf7xy+wep+j/NXqiqM4Ocv4sRJUf0SLhqMweX8Cm0MDmUpsYWp5lg4CMHAm/vhyB/ZLudOo18vljmcYIrekykTET4MYpiRxI8SRBh89jiQM9+3LZX/3V3JLf4ynkR5SS7OwytbLBvmLU0gsp2h5Khyw2NHczQWdz8TUmLwEe6WbdE3AjGEYZsUrR9iqqUIzYHKURAskYjEU5pNHPLg63nhku62Le51LvcieBMAyM2xM0E3ZRXHTIFxAZ9Lsc7Yg43jnPko2OxOGDL4lWKiWik3DmObMQXQRF2BiIw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=Woq3jafKXOOWDmfBnt4wH3BmlPBjfGKSBZ9s3lF/FUk=;
b=iO+1BS4k4xnjaf+JEM3Skb+NVolr06E/4DIElcTYcU2vFx/secFo5n/HmEPMzRIg4f3SGrKovbGdwkpzRg9jZBwBVeLmTfaRHVz3TFLaSimlEyhvUQgSVO6q6duRsdKFrCq7vxbU2N0LRHHm13t7wClF3gnW64vkfZYPFWuJGXTuttbz0YvF+n7woUs2FBkKJ6gDGophEIKEE7eeQQV/BMQKVVO4unBx+2QkcII9KOulet+M2FNwx1F6URLxFzKt/CgdbMG33+ngmbUPC9TbAiW6x4U2TcdGN1/52t4l7QG9iaPnsHsakIz+A/z3OsIlxSpStr3gCosraP8Aje0Ylg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
170.10.133.124) smtp.rcpttodomain=mit.edu smtp.mailfrom=redhat.com;
dmarc=pass (p=none sp=none pct=100) action=none header.from=redhat.com;
dkim=pass (signature was verified) header.d=redhat.com; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=Woq3jafKXOOWDmfBnt4wH3BmlPBjfGKSBZ9s3lF/FUk=;
b=K3TyvUfXsJMFN1CYfA/F1adJFyqeM0yBQIj3f47WYbl29kBGYuohEphc5Ta8oazKMpcfj+RQtHvGP1ndiZxHTLOUK0DXS96sEe9HAtQeIcKz5hrmC8VuumRnk0oR/U9jKwwds5xyqm4vAKmdRbdfNw+8ULQMP1uzCqMX5gFMqmQ=
Authentication-Results: spf=pass (sender IP is 170.10.133.124)
smtp.mailfrom=redhat.com; dkim=pass (signature was verified)
header.d=redhat.com;dmarc=pass action=none header.from=redhat.com;
Received-SPF: Pass (protection.outlook.com: domain of redhat.com designates
170.10.133.124 as permitted sender) receiver=protection.outlook.com;
client-ip=170.10.133.124; helo=us-smtp-delivery-124.mimecast.com; pr=C
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
s=mimecast20190719; t=1698428919;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:mime-version:mime-version:content-type:content-type:
content-transfer-encoding:content-transfer-encoding:
in-reply-to:in-reply-to:references:references;
bh=Woq3jafKXOOWDmfBnt4wH3BmlPBjfGKSBZ9s3lF/FUk=;
b=WBPyXJARDwyvBGeB5R7lEQf2D/sfUB2xw7itKf/Ft47mnHFDE7D4OfBVsTMsC6K7e1kewO
KqDP3NnW2aCf3DeKjOvHKAp0xqrwVdHebtb1QoP+EKhzXSZ5Nfn1hDg55uAn7bZDcTP8zQ
fr3nJmKG/1QXHWRbuTb04FmbRdkwK4c=
X-MC-Unique: OSE2ugjbPvK9f9m15O5Ykw-1
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1698428907; x=1699033707;
h=mime-version:user-agent:content-transfer-encoding:organization
:references:in-reply-to:date:to:from:subject:message-id
:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
bh=Woq3jafKXOOWDmfBnt4wH3BmlPBjfGKSBZ9s3lF/FUk=;
b=Jkzz74v19+4gwmuxaU0Cp+vyfxB/qFdOrWK6dJlCH5y65INXlhpkgjDRPEboOMVjVB
/0OCNzc+e6YZsGUlTdiFXSbKEBJ7OI++51k/TX0A8hAUcqzAu3DD8ifKHN4th/BlPvUj
FaFMEZ8uN1DyqQxUSbW7e4yQGEhD7VX+8n4s/tzcTd6SxXCDrU8Gdzoe7n9EBh1VFqOG
UUuUmrRDwYIi/uLbxHymeTmSlxSG23IWaXlnws8dfAlFNmNuExzz1GMLFfzy8D/drTwS
VaEyp25l/YFJKTTeVRkDpE0zF5/qYClFD9BzguY7Q12SsGuRUwrjQGl+kqC8RAIoJZAa
Wh8g==
X-Gm-Message-State: AOJu0Yxj+pkxwIz01JiBa8vdtwIw/v/HDLdr1//HVHoG9mpfhHc/Zc0u
+0lmDPTiCz+KGMVlZAvDrUO6C4cdRhBNmdd0hkI00/kmYUxQK7jAJBq1F5Vv6K14Vuz3Fufln8X
P8ZqQl32+kIw1UETz
X-Received: by 2002:a05:620a:c45:b0:778:b0f5:d4e7 with SMTP id
u5-20020a05620a0c4500b00778b0f5d4e7mr3476536qki.46.1698428907292;
Fri, 27 Oct 2023 10:48:27 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IH4H9bry1po5CGJ35x3m2znGqxCDDbakTX2AzaWKTyeKrRmoBo2Mraipv6yl0WJOZVAIICsDg==
X-Received: by 2002:a05:620a:c45:b0:778:b0f5:d4e7 with SMTP id
u5-20020a05620a0c4500b00778b0f5d4e7mr3476516qki.46.1698428906928;
Fri, 27 Oct 2023 10:48:26 -0700 (PDT)
In-Reply-To: <202310262157.39QLvb2C012728@hedwig.cmf.nrl.navy.mil>
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: BL6PEPF0001AB52:EE_|CH0PR01MB6860:EE_
X-MS-Office365-Filtering-Correlation-Id: 3a7ce980-f216-4f94-8b86-08dbd714f3cb
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 9m8W2byKOuyedq0WF3AExz6D0XV6CDlfF4WP7MPziIV0nzk+AbzDxj2u4a65NYIHaiTZ0TYvKEfrFo4LGX8z+WMw7ogcd2vBz5MLmqbKDycjey/jNLOmTFHgOs2UkZrUYSBKWKmOSSWsCAAzZsXLdiwWKYDJ1/6XA5LdJghPWGdPf1YbmowBNxFuCQkD0I1e6ANNKpv44MXHZ82fU0h2wqtYPDYZiXEXlXXEf5CdC/6X57Jt+C9WCURJfhQ/ASSxISRb9YZnXalX6zW3SwQy0NV9+PFkYvqTn2OCxkjZhhSB2cIzCa8S213mZML1JbzlPFJ+4Q+q5RQphn5jfpuEj/X+sFFj6lmeo1eUY+sJ/GhrV0Jt7yO5PNH1d9PVQAE5CtICeDpq0C6qkhByQ4s9bsruUDElwKBS/jf0DXRl4v7dFfoN4JDbhasS+/Jw8JHCSEjRsEYkBxZjobPgoIjB27XWlAEckUPGH/lYLe+ocqpMk9GjgAEfATHMzKReUG2nVqFfJ39LCeJohLwz84HtXMTIyirqKc5vLHbA6Duqkhz+FYMA9NdxW9LVnKydi1Xc2TP55ZaV0pD9Bpm3PziJEUdCA4a4bNHs4zU3B1hvgRr96WIa8Rsb1FXn+WrSzhqOoUfnyQGNv6gFH60RfpsuTypTLfvxd/Zdn3gTdPd9HJMtxsU9iJmHEPXcSiDJ3CRrKsK1nmrSG5jEHCVLsDOZKA==
X-Forefront-Antispam-Report: CIP:170.10.133.124; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:us-smtp-delivery-124.mimecast.com;
PTR:us-smtp-delivery-124.mimecast.com; CAT:NONE;
SFS:(13230031)(4636009)(39860400002)(396003)(136003)(346002)(376002)(48200799006)(451199024)(64100799003)(61400799006)(2906002)(86362001)(83380400001)(4001150100001)(336012)(68406010)(5660300002)(7636003)(7596003)(356005)(2616005)(66899024)(36756003)(786003)(70586007)(36916002)(7696005)(26005)(316002)(8676002)(498600001);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 27 Oct 2023 17:48:39.2109 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 3a7ce980-f216-4f94-8b86-08dbd714f3cb
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: BL6PEPF0001AB52.namprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH0PR01MB6860
X-OriginatorOrg: mitprod.onmicrosoft.com
X-MIME-Autoconverted: from quoted-printable to 8bit by mailman.mit.edu id
39RHmvOr1866367
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <48daa6105af9bb8794a0003e75ad7cd3fdf3c9e4.camel@redhat.com>
X-Mailman-Original-References: <202310251251.39PCpTqc026799@hedwig.cmf.nrl.navy.mil>
<ZTk62q0DIAZmW0eL@ubby21>
<CALF+FNwtDrQ0d+a=zsXyiYq6rhOiXXkqoxUnscwum0Q0wchLJQ@mail.gmail.com>
<202310261741.39QHfgIl030099@hedwig.cmf.nrl.navy.mil>
<ZTqtQYPlzdpQGyr+@ubby21>
<202310261827.39QIRu4Q000307@hedwig.cmf.nrl.navy.mil>
<ZTqw9+Etcwo8SqR4@ubby21>
<202310261838.39QIcl16000930@hedwig.cmf.nrl.navy.mil>
<ZTrAlh0a/+Vq5P4f@ubby21>
<202310262110.39QLAdhW010116@hedwig.cmf.nrl.navy.mil>
<ZTraV0714XV7hsxx@ubby21>
<202310262157.39QLvb2C012728@hedwig.cmf.nrl.navy.mil>
 by: Simo Sorce - Fri, 27 Oct 2023 17:48 UTC

On Thu, 2023-10-26 at 17:57 -0400, Ken Hornstein via Kerberos wrote:
> > > Unfortunately, ANOTHER one of the "fun" rules I live under is,
> > > "Thou
> > > shall have no other PKI than the DoD PKI". And as much as I can
> > > legitimately argue for many of the unusual things that I do, I
> > > can't get
> > > away with that one; [...]
> >
> > A CA that issues short-lived certificates (for keys that might be
> > software keys) is morally equivalent to a Kerberos KDC. You ought
> > to be
> > able to deploy such online CAs that issue only short-lived certs.
>
> You know that. I know that. But remember: "if you're explaining,
> you're losing". When asked I can honestly say, "Kerberos is not
> a PKI" and that's good enough, but I can't say with a straight
> face, "This X.509 CA over here is not a PKI".
>
> > Presumably OpenSSH CAs are a different story because they're not
> > x.509? :)
>
> Strangely enough, I am not aware of anyone in the DoD that uses
> OpenSSH
> CAs (there probably are, I just don't know them). I could see it
> being
> argued both ways. The people I know who use OpenSSH are (a) using
> gssapi-with-mic like us, (b) just using passwords, or (c) using their
> client smartcart key as a key for RSA authentication and they call
> that
> "DOD PKI authentication". Again, you know and I know that isn't
> really
> using PKI certificates, but the people up the chain aren't really
> smart
> enough to understand the distinction; they see that you're using the
> smartcard and that's good enough for them.
>
> > > We _do_ do PKINIT with the DoD PKI today; that is relatively
> > > straightforward with the exception of dealing with certificate
> > > revocation (last time I checked the total size of the DOD CRL
> > > package
> > > was approximately 8 million serial numbers, sigh).
> >
> > Don't you have OCSP responders?
>
> We _do_, it's just a pain to find an OCSP responder that can handle
> that
> many. If the official ones go offline that breaks our KDC so we run
> our
> own locally.
>
> > One of the problems I'm finding is that SSHv2 client
> > implementations are
> > proliferating, and IDEs nowadays tend to come with one, and not one
> > of
> > them supports GSS-KEYEX, though most of them support gssapi-with-
> > mic, so
> > it makes you want to give up on GSS-KEYEX.
>
> Right, part of the problem there is that people want to "use Kerberos
> with ssh", and they don't understand the difference between gssapi-
> with-mic
> and gss-keyex.

Aren't you supposed to use CAC or PIV cards?
You can definitely use openssh clients with PIV cards and avoid
kerberos altogether.

Simo.

--
Simo Sorce,
DE @ RHEL Crypto Team,
Red Hat, Inc

1
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor