Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

If A = B and B = C, then A = C, except where void or prohibited by law. -- Roy Santoro

devel / comp.protocols.kerberos / Re: RFC 4121 & acceptor subkey use in MIC token generation

SubjectAuthor
o Re: RFC 4121 & acceptor subkey use in MIC token generationKen Hornstein

1
Re: RFC 4121 & acceptor subkey use in MIC token generation

<mailman.37.1698429696.2263420.kerberos@mit.edu>

  copy mid

https://www.novabbs.com/devel/article-flat.php?id=413&group=comp.protocols.kerberos#413

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: ken...@cmf.nrl.navy.mil (Ken Hornstein)
Newsgroups: comp.protocols.kerberos
Subject: Re: RFC 4121 & acceptor subkey use in MIC token generation
Date: Fri, 27 Oct 2023 14:01:05 -0400
Organization: TNet Consulting
Lines: 23
Message-ID: <mailman.37.1698429696.2263420.kerberos@mit.edu>
References: <202310251251.39PCpTqc026799@hedwig.cmf.nrl.navy.mil>
<ZTk62q0DIAZmW0eL@ubby21>
<CALF+FNwtDrQ0d+a=zsXyiYq6rhOiXXkqoxUnscwum0Q0wchLJQ@mail.gmail.com>
<202310261741.39QHfgIl030099@hedwig.cmf.nrl.navy.mil>
<ZTqtQYPlzdpQGyr+@ubby21>
<202310261827.39QIRu4Q000307@hedwig.cmf.nrl.navy.mil>
<ZTqw9+Etcwo8SqR4@ubby21>
<202310261838.39QIcl16000930@hedwig.cmf.nrl.navy.mil>
<ZTrAlh0a/+Vq5P4f@ubby21>
<202310262110.39QLAdhW010116@hedwig.cmf.nrl.navy.mil>
<ZTraV0714XV7hsxx@ubby21>
<202310262157.39QLvb2C012728@hedwig.cmf.nrl.navy.mil>
<48daa6105af9bb8794a0003e75ad7cd3fdf3c9e4.camel@redhat.com>
<202310271801.39RI15Ud018075@hedwig.cmf.nrl.navy.mil>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="31776"; mail-complaints-to="newsmaster@tnetconsulting.net"
Cc: kerberos@mit.edu
To: Simo Sorce <simo@redhat.com>
DKIM-Filter: OpenDKIM Filter v2.11.0 unknown-host (unknown-jobid)
Authentication-Results: mailman.mit.edu;
dkim=pass (1024-bit key, unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=gd+XCZV/;
dkim=pass (2048-bit key,
unprotected) header.d=nrl.navy.mil header.i=@nrl.navy.mil header.a=rsa-sha256
header.s=s2.dkim header.b=HDgrk8/z
Authentication-Results: mit.edu; dmarc=pass (p=reject dis=none)
header.from=cmf.nrl.navy.mil
Authentication-Results: mit.edu; arc=pass smtp.remote-ip=18.9.3.17
ARC-Seal: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1698429694; cv=pass;
b=X8HnsW/pJ2TZS4DqWNZCF0OvY9+wlQ4u4slkOjYuQqCZtR32O/5iKJWEPrnuJduKZ+xDT8xBJ0ayz+AEF7kE7WjfPnUD08E1Gav7umvhbf8i9SjX7upG6gb1lPqF6GYo8Pk+IQSRiDPGq/zqIjgwE3IFJruMU6J7K+zn0506VFklYNVN1Cj3/jE696mAFX6XZj8vhlwp2m5NdxGjEBt8eg/DLyJkBolMGdHBGgCu6+UwFwyakY7YZcE6B+jFLRyy+sEp9xsswJ0aymjQfsTuTJ05Bbao3ua2RjpmqKMze3GEAePEhAbsHamlz8aBSycD7PILmz7DXOfG+PQobusmZg==
ARC-Message-Signature: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1698429694;
c=relaxed/relaxed; bh=54Mm+l5sfem1o+/GmWZdR0wCR7G9Zw8Le7tgNXNIcy4=;
h=Message-ID:From:Subject:MIME-Version:Content-Type:Date;
b=YU4gcvHYbrS9dnbMGQ0E+TgHvaYHj5ZiQ1RHJVzD8PQ9kIF3VGiinwhvBNqa/1oJevukKKHGuvhIBCfbAfJWIlmBwbGMyhE7kUUeLDLjZniXrq1XWC+LpP4df65yN9T+N0Xcg0VLJD03Q/yuZO1WFxrLPPxxaaqf7H1h0rIvQd28CUVEI/EVKDNxKctoFkzl6PpLzBDi1gAi7QmZIU5zejSz1Rt/fRmBH1Gkr39+ZqJvCnd8u1/liCHl6zzvO2P1iy03Ft66KJ3au1AgbeDyxr9EGXldDlqqktHQmJ1jmJd8Pg0lCPACHCJ0A/HuS818TP3j+4on/3nJ2LKhCRsNcQ==
ARC-Authentication-Results: i=2; mit.edu; dkim=pass (1024-bit key;
unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=gd+XCZV/;
dkim=pass (2048-bit key;
unprotected) header.d=nrl.navy.mil header.i=@nrl.navy.mil header.a=rsa-sha256
header.s=s2.dkim header.b=HDgrk8/z
Authentication-Results: mit.edu; dkim=pass (1024-bit key;
unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=gd+XCZV/;
dkim=pass (2048-bit key;
unprotected) header.d=nrl.navy.mil header.i=@nrl.navy.mil header.a=rsa-sha256
header.s=s2.dkim header.b=HDgrk8/z
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=Ug4+dTppmdMbnvwd4Kr8RAN+D6X/bcDSMy0UeDxdbNYEGzyG0Jft4266x/g9MyFWDVk/NCEXExxlglqSVYxncXVwUYaHHg5VG+jsPOH1fNtGuMdu4SuMJSH+svFprf9+mKlfM87/NEaqHszr9AoronTHVn4xkVXVHyDBhTnxRhmK1hN+1cLc4PxIRtQXmSE/6F2YACPX9+d/e2RmI3utJ4bw5/2SJmBZoftT+cYLkhbo1yeNWvgEjwey1NYEDltvQuzmR/ccBwNRgZq9izlg4iOOIg/TD37CcNa/LuqeMLvsx3rXjPEzmd/uJb8i1W2Xn06cxX57GoZRfUGZlLoNUA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=54Mm+l5sfem1o+/GmWZdR0wCR7G9Zw8Le7tgNXNIcy4=;
b=QcpRHV+3jK5y7vBdhvCnduSV5pM23qF6aighD1k26//NRY4bXXY9zMLIOzuFnRgpVuXgalYqe2dq1TVZOALoNf120yDQf4iTgIHEotdchv3CIr8H5oA0T/UMCmH26phwTg+Thuq597WYyNHRlafFpD7TNYKQ6z1b5H8+qtriuL+efQ+z8i+uX5yl5dnh1TwSltS6GvNS4tl6PMQnWq8pyeA6mBwy4BAJrW+Y+LyP7lfHd/armd/vgo6dBAC/fzWfBT4+SN3455E568oPiRTAiWoQ648z8w+fsCawMKOZKfKGYWAn4qykLXphYt8hfymaYbA8KW+Y0YuI64WBhz90WQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
140.32.59.234) smtp.rcpttodomain=mit.edu smtp.mailfrom=cmf.nrl.navy.mil;
dmarc=pass (p=reject sp=reject pct=100) action=none
header.from=cmf.nrl.navy.mil; dkim=pass (signature was verified)
header.d=nrl.navy.mil; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=54Mm+l5sfem1o+/GmWZdR0wCR7G9Zw8Le7tgNXNIcy4=;
b=gd+XCZV/Ady8NV5DrxbloXgdeUsauco7mUD1fim4Vwn3tElDCfkekJCgaJqhxg16scUx7hhAo6529zooAJ6uY1+9aAl0k66FmEWGV91bKUTBF5vz4kzwQemsDdMJteCA1K3sTPi7SyGmLcvqWd3xUB7ZnBE4jRLCnkqd+vZRPkY=
Authentication-Results: spf=pass (sender IP is 140.32.59.234)
smtp.mailfrom=cmf.nrl.navy.mil; dkim=pass (signature was verified)
header.d=nrl.navy.mil;dmarc=pass action=none header.from=cmf.nrl.navy.mil;
Received-SPF: Pass (protection.outlook.com: domain of cmf.nrl.navy.mil
designates 140.32.59.234 as permitted sender)
receiver=protection.outlook.com; client-ip=140.32.59.234; helo=mf.dren.mil;
pr=C
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nrl.navy.mil;
h=message-id : from :
to : cc : subject : in-reply-to : references : mime-version : content-type
: date; s=s2.dkim; bh=54Mm+l5sfem1o+/GmWZdR0wCR7G9Zw8Le7tgNXNIcy4=;
b=HDgrk8/zU3bdbHOC+jrs28w4JNLKjw8uqoalPe1HkpBRY+Pl3bTLKNFtdmw0hEayvvN3
WdSywUzisPPedUkkJMcm8N85ap4FFjGCtV6WY+gdw7VAyiaWNsGT0eISm8/PfALSfTtc
53UHN9q4Mpf5mSvIJQI20qm7IydIDlEuVFh//Zq/SiQvhR2uKu/xYzEVmi8V1HQIH5C3
9KRXn+p4GrZrYTztyKhIh/vCzmi7jTjhKJ/pbkUkO0O+/ahNeEnfU1tU/oIPoGkMdWg1
rd6CSp0jLtFa6/hpACA7LUYI2B8mdnFhU1zSOGegSUgzsM6R8yc0qqGCjq9iYltaYYrs xA==
In-Reply-To: <48daa6105af9bb8794a0003e75ad7cd3fdf3c9e4.camel@redhat.com>
X-Face: "Evs"_GpJ]],xS)b$T2#V&{KfP_i2`TlPrY$Iv9+TQ!6+`~+l)#7I)0xr1>4hfd{#0B4
WIn3jU;bql;{2Uq%zw5bF4?%F&&j8@KaT?#vBGk}u07<+6/`.F-3_GA@6Bq5gN9\+s;_d
gD\SW #]iN_U0 KUmOR.P<|um5yP<ea#^"SJK;C*}fMI;Mv(aiO2z~9n.w?@\>kEpSD@*e`
X-NRLCMF-Spam-Score: () hits=0 User Authenticated
X-NRLCMF-Virus-Scanned:
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: MN1PEPF0000F0E1:EE_|PH0PR01MB6730:EE_
X-MS-Office365-Filtering-Correlation-Id: 23104725-c022-4652-1254-08dbd716b1c2
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: yIS8bE/ZvqtVEORYEjcVzfqksdRlup4Ba57V5/Te4PP24Tz82xIB7oOMFOd2AMRpQrZkiIYKw7dUCxtHGnpk/nQGqVm7+1Ez2JccAbCzB98vhMgMGFjlBA1GUBGvx1tfZN0IZnn0v3Mo7NZ+kPE/U0KV5CuA3AobWCQ/V0Fo/GY9uLgaWED35JBQt5PQ+PsrRds7yk9NQQ9NDWMvCVanr95v0m6amx2zuFW7BNJ6v2aSp0GShsnmke6FGvuXmbkDswSSdZh7k3iWDWfXWZsSlAheSUk1d1n0oohU4KT4JC55drrZYYR5wrq6WjoSQXYYslpzpODD4tMF1/uGb2F1gI2mp/7x8/LFLxtDBjgmgaN8HJ/JLqjTwv7DOovC6PTSrY3HlCVc1MmYcXw7k/+6A7/EvIFXlnSeVCOtTqFHWUS4ZiyS+rXk08Ff/HrdBIKWPab60bVtA6eek5Rf2WWEcOgz2vKGpTHmJxNPBjr6MlpWxU2TDwGt7o9OAQHhkCaleHbRZCk9P82mqlhu8xNspq/yleIiqPdO+MhhKIJ7FD5Em6leotTKK4acdIeo5kwGQhbKC745HvDokbJSqooAaa0lD9/J/zClNR/CrAv6IuouXIrVfFrAtoU0RoXEKMFMqWndkYVwQeDjpSRvmIEzleMyT/lVPQGgJ0BxbaazoJDzsUoBMvMedtOnewUgeZfiCEHmeb0Ip87NACnZFn4Avw==
X-Forefront-Antispam-Report: CIP:140.32.59.234; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:mf.dren.mil; PTR:mfe.dren.mil; CAT:NONE;
SFS:(13230031)(4636009)(39860400002)(346002)(396003)(376002)(136003)(451199024)(48200799006)(61400799006)(64100799003)(86362001)(426003)(336012)(356005)(7636003)(83380400001)(956004)(26005)(1076003)(786003)(68406010)(316002)(5660300002)(70586007)(2906002)(498600001)(4326008)(8676002)(6862004);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 27 Oct 2023 18:01:07.3345 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 23104725-c022-4652-1254-08dbd716b1c2
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: MN1PEPF0000F0E1.namprd04.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR01MB6730
X-OriginatorOrg: mitprod.onmicrosoft.com
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <202310271801.39RI15Ud018075@hedwig.cmf.nrl.navy.mil>
X-Mailman-Original-References: <202310251251.39PCpTqc026799@hedwig.cmf.nrl.navy.mil>
<ZTk62q0DIAZmW0eL@ubby21>
<CALF+FNwtDrQ0d+a=zsXyiYq6rhOiXXkqoxUnscwum0Q0wchLJQ@mail.gmail.com>
<202310261741.39QHfgIl030099@hedwig.cmf.nrl.navy.mil>
<ZTqtQYPlzdpQGyr+@ubby21>
<202310261827.39QIRu4Q000307@hedwig.cmf.nrl.navy.mil>
<ZTqw9+Etcwo8SqR4@ubby21>
<202310261838.39QIcl16000930@hedwig.cmf.nrl.navy.mil>
<ZTrAlh0a/+Vq5P4f@ubby21>
<202310262110.39QLAdhW010116@hedwig.cmf.nrl.navy.mil>
<ZTraV0714XV7hsxx@ubby21>
<202310262157.39QLvb2C012728@hedwig.cmf.nrl.navy.mil>
<48daa6105af9bb8794a0003e75ad7cd3fdf3c9e4.camel@redhat.com>
 by: Ken Hornstein - Fri, 27 Oct 2023 18:01 UTC

>> Right, part of the problem there is that people want to "use Kerberos
>> with ssh", and they don't understand the difference between gssapi-
>> with-mic
>> and gss-keyex.
>
>Aren't you supposed to use CAC or PIV cards?

Well, I hate to use the "Air Bud" loophole, but the rules as I
understand them don't ACTUALLY say that for ssh, and in some contexts
they explictly say that plaintext passwords are fine as long as you're
doing something like using a RADIUS server to verify the password. Yes,
the RADIUS protocol is terrible and has MD5 baked into the protocol and
no one has ever explained to me why the STIGS say FIPS mode is manditory
but RADIUS is fine.

>You can definitely use openssh clients with PIV cards and avoid
>kerberos altogether.

I have done that! But that is actually TERRIBLE IMHO from a security
perspective unless you write a whole pile of infrastructure code; maybe
some sites actually do that but the people I've seen with that setup do
not and then get surprised when they get a new CAC and that breaks. If
you funnel all that through PKINIT then things are much nicer.

1
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor