Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

Just don't create a file called -rf. :-) -- Larry Wall in <11393@jpl-devvax.JPL.NASA.GOV>

devel / comp.protocols.kerberos / Re: RFC 4121 & acceptor subkey use in MIC token generation

SubjectAuthor
o Re: RFC 4121 & acceptor subkey use in MIC token generationKen Hornstein

1
Re: RFC 4121 & acceptor subkey use in MIC token generation

<mailman.39.1698455739.2263420.kerberos@mit.edu>

  copy mid

https://www.novabbs.com/devel/article-flat.php?id=415&group=comp.protocols.kerberos#415

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: ken...@cmf.nrl.navy.mil (Ken Hornstein)
Newsgroups: comp.protocols.kerberos
Subject: Re: RFC 4121 & acceptor subkey use in MIC token generation
Date: Fri, 27 Oct 2023 21:15:25 -0400
Organization: TNet Consulting
Lines: 29
Message-ID: <mailman.39.1698455739.2263420.kerberos@mit.edu>
References: <ZTqtQYPlzdpQGyr+@ubby21>
<202310261827.39QIRu4Q000307@hedwig.cmf.nrl.navy.mil>
<ZTqw9+Etcwo8SqR4@ubby21>
<202310261838.39QIcl16000930@hedwig.cmf.nrl.navy.mil>
<ZTrAlh0a/+Vq5P4f@ubby21>
<202310262110.39QLAdhW010116@hedwig.cmf.nrl.navy.mil>
<ZTraV0714XV7hsxx@ubby21>
<202310262157.39QLvb2C012728@hedwig.cmf.nrl.navy.mil>
<48daa6105af9bb8794a0003e75ad7cd3fdf3c9e4.camel@redhat.com>
<202310271801.39RI15Ud018075@hedwig.cmf.nrl.navy.mil>
<ZTwdLkmGk3G+vv6B@ubby21>
<202310280115.39S1FQAT010773@hedwig.cmf.nrl.navy.mil>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="12456"; mail-complaints-to="newsmaster@tnetconsulting.net"
To: kerberos@mit.edu
DKIM-Filter: OpenDKIM Filter v2.11.0 unknown-host (unknown-jobid)
Authentication-Results: mailman.mit.edu;
dkim=pass (1024-bit key, unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=tfrEYKf/;
dkim=pass (2048-bit key,
unprotected) header.d=nrl.navy.mil header.i=@nrl.navy.mil header.a=rsa-sha256
header.s=s2.dkim header.b=k8UNcFD6
Authentication-Results: mit.edu; dmarc=pass (p=reject dis=none)
header.from=cmf.nrl.navy.mil
Authentication-Results: mit.edu; arc=pass smtp.remote-ip=18.7.73.15
ARC-Seal: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1698455736; cv=pass;
b=S9Y2yb9rWmFR08moxikjzkQcbMH8iVc5JVmtsdF73u+bPKzHtvN5hp2YdLON+GXOhnH9q8dD2xzCoaB1fCyhVjPz9CNH2gXb17guFIjRfWWZPx7GQk7FHpmdUZVGItWGAc+LdulAGMnJTQ/n7L5uY7MhTDTyY38Qyn6iMxUShs1hiZXvPEzkoOK5y9F1nXDuF9RLgIycioq9RHs3muGkJLDWX39UdQd4FFB6V8khAyhlV+QtA3DH5kXqro4cVUowRhwhAso40bVo9bkqkZfN2V7CpMiIdqjYyOeMPxNrOycMrAjkrvdKTHCzOLD5c8rkBoJQEPUItkWpJz3piX/1qQ==
ARC-Message-Signature: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1698455736;
c=relaxed/relaxed; bh=qn9naLepa9LUiCNhb5ReYXlzPFk8YC85NKsbLspAGyE=;
h=Message-ID:From:Subject:MIME-Version:Content-Type:Date;
b=NyX+KqmaFd/2OHp3C+y6Gysv4iw0Pp7gsnGrQlYOID3gPwvSPiUTbR87viTI12FIUupdAmsjS+iR2ZXGwp2ZWn3Lxx+PttxwKz7qKWneKTb+bkO1L22M0dxt5vB5Ufhv+AfoplsDCSY+3oBKvy5QKVZcfw3mLd2ua8MsHkjfEMb9doblvYcM2WcsqUwFd9vcSQ+WF53RFv7yvIY6RFUwR+pnxhO9VV9PgUrDLJTS0yAN1vjHslCAysvR5V6eGMNJTy6+tAh+VC3l8mgGP7eNPc/9b12cWD6rqfGPiiHZrFNCx73UgqsD1Mniaq2rvqmy7uJhvw41FtN8B1iwwcugBg==
ARC-Authentication-Results: i=2; mit.edu; dkim=pass (1024-bit key;
unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=tfrEYKf/;
dkim=pass (2048-bit key;
unprotected) header.d=nrl.navy.mil header.i=@nrl.navy.mil header.a=rsa-sha256
header.s=s2.dkim header.b=k8UNcFD6
Authentication-Results: mit.edu; dkim=pass (1024-bit key;
unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=tfrEYKf/;
dkim=pass (2048-bit key;
unprotected) header.d=nrl.navy.mil header.i=@nrl.navy.mil header.a=rsa-sha256
header.s=s2.dkim header.b=k8UNcFD6
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=cWwYoauRL5OCaKV2nBQwuuVCLtCtHFCEAbEP3ICm6dOmCX6Y0wgk2TW/mhHXBJFi90E2pbLqFUua5VAlpBB5UVZf/JKgdJFBFUDj3yt69ltFCNIC087Sx3LLOL415NRtjGxvB+9p44FPdbeQF27c66jMx7kHnAQ9Y7VsbBK1rxZSG15iP5B7iIitqQMqpcvbGC3Q4G05hGxk0cITpOW3TzEYJSlqH1f49vSgZhpQOXVghfsZ/rao4NWkPdpCIPRJBX/QFzWdYmCMGRutiWbiwM/JRGskhLXEsezhnB19XoN1QDBdlrdHbsfHGS0o85Qxiltn6FPc/Hn71i88oQ02pA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=qn9naLepa9LUiCNhb5ReYXlzPFk8YC85NKsbLspAGyE=;
b=Pkt2+lbCe2ZpzozV0v7MOt6dtIQI8UwAnxTEdWWxQ+4CTReuMHeG1RYKx+2yHEUAVHtq84eTvgYDycWkQ+0H2pdWA7I/axw/r7wOGeaP/1Z8oGixJxlFgsQCgReMDfFrNtCB4ZuHhzUvLmO0ljRAzUITbkTJPxJHXzXR54dZRMch3xZLOzHVW0i3aZHMNaNj9pR5za+txvINoZql3a6Jcl05ZVIeXm4s0IQXezyFCMsoSljX8vHYcI18wV0oOwh8bgeGQvCdUADK544Aoj7Uaglmqa8yjbZMXsTbWw2E9+Ml2IwCRTyWDhwfJ/1HjtVfkyGoZ02mFVYXW7AjRDRIKg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
140.32.59.234) smtp.rcpttodomain=mit.edu smtp.mailfrom=cmf.nrl.navy.mil;
dmarc=pass (p=reject sp=reject pct=100) action=none
header.from=cmf.nrl.navy.mil; dkim=pass (signature was verified)
header.d=nrl.navy.mil; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=qn9naLepa9LUiCNhb5ReYXlzPFk8YC85NKsbLspAGyE=;
b=tfrEYKf/486maSYRmoB2hg+F0VU4Z1YFw10lMY8bJPKRwq/gvbvoXx/QPsdCRsN4OxvB4Ca7SF2f5qZmRevFHm6koEA5iTdYjyTHjpHCUB83wT6VRTzhYXhhsI/S/j89QbsO0ou2Le20n2ZLhRd+uyZx7riDRkNP7bLURj3YFW4=
Authentication-Results: spf=pass (sender IP is 140.32.59.234)
smtp.mailfrom=cmf.nrl.navy.mil; dkim=pass (signature was verified)
header.d=nrl.navy.mil;dmarc=pass action=none header.from=cmf.nrl.navy.mil;
Received-SPF: Pass (protection.outlook.com: domain of cmf.nrl.navy.mil
designates 140.32.59.234 as permitted sender)
receiver=protection.outlook.com; client-ip=140.32.59.234; helo=mf.dren.mil;
pr=C
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nrl.navy.mil;
h=message-id : from :
to : subject : in-reply-to : references : mime-version : content-type :
date; s=s2.dkim; bh=qn9naLepa9LUiCNhb5ReYXlzPFk8YC85NKsbLspAGyE=;
b=k8UNcFD6bI7XtnNhPfay4FVhosu65oUJNcy50rj1XeBBB44N7Zr+1BUwJy3LjnF8OyUd
YMqittMAbVkeeDzK0wAzoEoTF7pjvGe+r04VJAAHksSABGYdRU500z7fXZvp/82r9n2S
ScD7RMPMlXVrp5i06mR+zVDsXPOn/ydpDR9AR6yTSYrDhZxfI0tKFw7N5GVbDdVWrLDi
tStYv9NTC21R1Gcun4zH1MZx/7Q/iSxbF+yy/qkiVJ9oYBCVfNpp/0FFcr9XwS+1Dzxk
/ExPkWS8g7IQMDFMg9g6WT1ov9nmgrBpPZuH4tI8fqxpAIqXCQ2/7ix+T0GT3/lqcBRL 8g==
In-Reply-To: <ZTwdLkmGk3G+vv6B@ubby21>
X-Face: "Evs"_GpJ]],xS)b$T2#V&{KfP_i2`TlPrY$Iv9+TQ!6+`~+l)#7I)0xr1>4hfd{#0B4
WIn3jU;bql;{2Uq%zw5bF4?%F&&j8@KaT?#vBGk}u07<+6/`.F-3_GA@6Bq5gN9\+s;_d
gD\SW #]iN_U0 KUmOR.P<|um5yP<ea#^"SJK;C*}fMI;Mv(aiO2z~9n.w?@\>kEpSD@*e`
X-NRLCMF-Spam-Score: () hits=0 User Authenticated
X-NRLCMF-Virus-Scanned:
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: CY4PEPF0000E9D4:EE_|BN0PR01MB7183:EE_
X-MS-Office365-Filtering-Correlation-Id: 1bad6634-bd6c-4489-2f52-08dbd7535f35
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 8Kv9rLFrSHxJCoigKr2GbJ+uOM18OjfnNU0LEO2TC83DiFZnkH0XdfUpEG6FT1N5AGv2VcdruvOQ/vkl6lnOePLVGVfDoEOeW9WoBDiZykRvGGWL3TF+ZizG46uNjk9sazZHyisrccHsGK3ADHOS0er+V1G73GHdNlVGoWZ6NyaBliagyePX1DI0DAVd0Iv2dGFjOAYDybY7B3Yna7AZMP+qnF9EuXbQcnmsi5K4+PHxMpg2aiM6GtHNy08s+2yoFFyd7Ey/9iODvv382nnonjNhNRi7jRqks2Ib24twdTvrNMr+2YcadqQ5I1XeRfklSOFvrsVZUBV6OO3x0ZEW4ZxdFXoL5Icf2T6BpasHuowiwbmsFNmIvX6gGHv8xG6+tTDGcFBPw54BDayOX9rbjZQ4GSkpdmK0TwlSvJyPiWzI6oiUJ8PY8RZB36funoGs53cmmmE5h6W1aMW73/Jtc9L0ZDXMKLKX9sQVU8h5+J4fW4OnTjUuw2arl76ae3oGX1B+Qs+Br60ZXjwsRDxPnbieQ30nMgg6W1OX1ml+vCJZ75ostvjesdjY/xnXyINbPQIOCCGd5pX/yObjiV6QfUS1+poJcbTd4JbwSwXb4LCJjoAh65wnPlTNrwBQSkdOTmeegRH6P/EIw6x8D/YW7xpewp43di6uVbr82QuBrPttL0fnC20AVgtACERUt6SCbfwjXQnNNNJk1rX9CYmIgw==
X-Forefront-Antispam-Report: CIP:140.32.59.234; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:mf.dren.mil; PTR:mfe.dren.mil; CAT:NONE;
SFS:(13230031)(4636009)(346002)(136003)(376002)(396003)(39860400002)(61400799006)(48200799006)(451199024)(64100799003)(26005)(5660300002)(8676002)(34206002)(68406010)(70586007)(316002)(786003)(2906002)(498600001)(1076003)(956004)(426003)(336012)(356005)(7636003)(33656002)(86362001);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 Oct 2023 01:15:28.0604 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 1bad6634-bd6c-4489-2f52-08dbd7535f35
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: CY4PEPF0000E9D4.namprd03.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN0PR01MB7183
X-OriginatorOrg: mitprod.onmicrosoft.com
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <202310280115.39S1FQAT010773@hedwig.cmf.nrl.navy.mil>
X-Mailman-Original-References: <ZTqtQYPlzdpQGyr+@ubby21>
<202310261827.39QIRu4Q000307@hedwig.cmf.nrl.navy.mil>
<ZTqw9+Etcwo8SqR4@ubby21>
<202310261838.39QIcl16000930@hedwig.cmf.nrl.navy.mil>
<ZTrAlh0a/+Vq5P4f@ubby21>
<202310262110.39QLAdhW010116@hedwig.cmf.nrl.navy.mil>
<ZTraV0714XV7hsxx@ubby21>
<202310262157.39QLvb2C012728@hedwig.cmf.nrl.navy.mil>
<48daa6105af9bb8794a0003e75ad7cd3fdf3c9e4.camel@redhat.com>
<202310271801.39RI15Ud018075@hedwig.cmf.nrl.navy.mil>
<ZTwdLkmGk3G+vv6B@ubby21>
 by: Ken Hornstein - Sat, 28 Oct 2023 01:15 UTC

>Uh... If someone was able to swing that then you should be able to
>swing use of MD5 for non-cryptographic purposes where a 20 year old RFC
>requires it. But, I know, I know, never mind.

You are assuming someone is looking at all of the STIGs and they're all
logically consistent with each other. I think the reality is that whomever
does the AAA STIG doesn't really look at or care about any of the others.

>IDEA: Patch ssh to support use of x.509 certificates.
>
>After all, you can't use OpenSSH certs because... that's not "the DoD
>PKI", and you can't use GSS-KEYEX because of the foregoing MD5
>non-issue, so might as well do the one thing you are allowed to do: use
>the DoD PKI!

Well, I _am_ allowed to use gssapi-with-mic (there's no rule against
it, e.g. the "Air Bud" loophole), and as you note everything seems to
support that, and honestly it seems to work completely fine. I'm not
sure what having OpenSSH use X.509 certificates directly would get us,
other than a huge pile of code that wasn't compatible with anything
else.

>And you're using Heimdal, right?

Geez, you missed that part? No, we are pretty much an MIT shop. And
judging by what I've seen it seems like so most of the DoD (at least on
the Unix side of things).

--Ken

1
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor