Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

"Engineering without management is art." -- Jeff Johnson


devel / comp.protocols.kerberos / Re: Kerberos protocol transition with unconstrained delegation (i.e. TGT impersonation)

SubjectAuthor
o Re: Kerberos protocol transition with unconstrained delegation (i.e.Jonathan Calmels

1
Re: Kerberos protocol transition with unconstrained delegation (i.e. TGT impersonation)

<mailman.48.1699527219.2263420.kerberos@mit.edu>

 copy mid

https://www.novabbs.com/devel/article-flat.php?id=426&group=comp.protocols.kerberos#426

 copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: jcalm...@nvidia.com (Jonathan Calmels)
Newsgroups: comp.protocols.kerberos
Subject: Re: Kerberos protocol transition with unconstrained delegation (i.e.
TGT impersonation)
Date: Thu, 9 Nov 2023 09:05:19 +0000
Organization: TNet Consulting
Lines: 47
Message-ID: <mailman.48.1699527219.2263420.kerberos@mit.edu>
References: <BYAPR12MB2888DAD8E37405BF96B1065CBB339@BYAPR12MB2888.namprd12.prod.outlook.com>
<87y1t1ntsv.fsf@hope.eyrie.org>
<CALF+FNxW4gXTuS6iBPKaFeLLRoD1Y+-n-Nd-G7-V=W30AOg9eg@mail.gmail.com>
<3c20a908-eced-131e-527d-5b7fab957a68@mit.edu>
<CALF+FNzsG3Q=w0+KZYHurgDjiNRg252ar6pCa_5=H8kDjAynWA@mail.gmail.com>
<BYAPR12MB288836425E0CEEFBB8509607BBAFA@BYAPR12MB2888.namprd12.prod.outlook.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="9796"; mail-complaints-to="newsmaster@tnetconsulting.net"
Cc: Russ Allbery <eagle@eyrie.org>, Jonathan Calmels via Kerberos
<kerberos@mit.edu>
To: Jeffrey Hutzelman <jhutz@cmu.edu>, Greg Hudson <ghudson@mit.edu>
DKIM-Filter: OpenDKIM Filter v2.11.0 unknown-host (unknown-jobid)
Authentication-Results: mailman.mit.edu;
dkim=pass (1024-bit key, unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=Ph2FgNzQ;
dkim=pass (2048-bit key,
unprotected) header.d=Nvidia.com header.i=@Nvidia.com header.a=rsa-sha256
header.s=selector2 header.b=aX/6ROQW
Authentication-Results: mit.edu;
dmarc=pass (p=reject dis=none) header.from=nvidia.com
Authentication-Results: mit.edu; arc=pass smtp.remote-ip=18.7.73.15
ARC-Seal: i=4; a=rsa-sha256; d=mit.edu; s=arc; t=1699520728; cv=pass;
b=bIIria3hTNJ5yFxviypzyD4F1BRIaKnS5s/DVotEZrW9f5X88dcIS0eQMThT7y3VKGhcX7TbC1IDIqMp5jHq4zoF/brhhc+CAcfPUhL8DXcc6s7Fmuu68CMcre2VCSCfUikemn2iP7shBkzpRc+svqBbdFeJGpFt/QkN3XN0RUxBuqIESRZRSNLrfaYCzhG87lvDDbR8uX8DQNzCt1SafSS7mTs4hxjYRQ2TpT3uCro/dfd/kPZiP2bL81emjckLCfdFVnnelW50JZ4x5wU5IjcqrRB9+Q/6hisa+rzU+x22htlLS5ZRTcO47Y13bFZi1H7RxWQOxTPohOtjcoCyGQ==
ARC-Message-Signature: i=4; a=rsa-sha256; d=mit.edu; s=arc; t=1699520728;
c=relaxed/relaxed; bh=o/MHqCU6dkLlX9b9Zfyaox/yzzQB5mFt+JhpCYzmBxo=;
h=From:Subject:Date:Message-ID:Content-Type:MIME-Version;
b=arNuiRa+6Erk7XHK4EEJa/HOTF13GSel4yLhFoiaIRpnhJkkf0HIMmc1lNnjOp+IXN14gLX+9Tg9to972ttM4dCp5tv6E/BDF54x5oWHTTNvx9u4XCO6i3MCXcKNthLz3IpFcj7FXi4U7VjOZ9jIEat+YRx4RGGwP/d2bjHEoiCB+QSB8pme9/uGm8v8jXH+duAlYMAxyAqad5/tGkP/F97jM5QBP2vYHKQ51kW32wpt1zz/+jucqysy8lZg7EYjixhC/WDczx9Id9Kng6GmSi2GBP5PFnfBS8lj3+wIyjGAW5qQLIcR3SJ+Bov12/QYEpeFvBhj+pmIa8l7fAQOuA==
ARC-Authentication-Results: i=4; mit.edu; dkim=pass (1024-bit key;
unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=Ph2FgNzQ;
dkim=pass (2048-bit key;
unprotected) header.d=Nvidia.com header.i=@Nvidia.com header.a=rsa-sha256
header.s=selector2 header.b=aX/6ROQW
Authentication-Results: mit.edu; dkim=pass (1024-bit key;
unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=Ph2FgNzQ;
dkim=pass (2048-bit key;
unprotected) header.d=Nvidia.com header.i=@Nvidia.com header.a=rsa-sha256
header.s=selector2 header.b=aX/6ROQW
ARC-Seal: i=3; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=pass;
b=gGy5sikP1Vk6iVtX+q+YWqkHOjK8Z9vuOsjpn8mp7MZXi2+FMI6VKo3aXpBkqxJORtv/RYaVeJ5N6Q2ldluCtpYLd66BT65ufTC//gBOeGTANniv6U5LAEfy+t9mLpTcSpCnnR8Y+k3yEkOwPxxjkk+EALl8uvBA8ONZ+qcIpylpZZhVUHrceHjwa7/XnlsEU+IOydDBtAt/CVNSsPrlB/huXtLKpYrE6zETj62rzKcIPVyFUV5e96Zajh4ijbrg0ginyM1H1gg0nASzMFI6VT6dCHZqtfcW3iN5QSXWOjdDvfLtu5j3IvtpteT2rkAoNTbMG4JHhG3tCT2dloXcjw==
ARC-Message-Signature: i=3; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=o/MHqCU6dkLlX9b9Zfyaox/yzzQB5mFt+JhpCYzmBxo=;
b=gFpr7Q3RikNhBLY1KMtCpPzRoO5mt8LCM+k8pUdSSJQZ+gXTQvtjoZThwIEOsr8WgmhBHLS+FJZ70dyUxhpYxx4PE+dGPuPmCMf/xwjp6pPakR+U6apzDgtqfHtD7rpye9mcHNeuBA0fHWlTzF9RDRXE8TObK67iqAwvRO9K1vRZnss215yKADOIv7v9zKu35UAZKqK0LgGvuBiDp/tMni3Bh5IJZ5u5K3QAkR0k8Zn8FlmnNC7gxRBqzNJ5TZL37yZfwir1jATrzx7X4tiaxp1lfSodVeSo96+LKTFfhg1ScANTIBI4k+eLdJU7W2wNg5LE3ZyvDq9nHWYH83eFEw==
ARC-Authentication-Results: i=3; mx.microsoft.com 1; spf=pass (sender ip is
40.107.243.86) smtp.rcpttodomain=mit.edu smtp.mailfrom=nvidia.com; dmarc=pass
(p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=pass
(signature was verified) header.d=nvidia.com; arc=pass (0 oda=1 ltdi=1
spf=[1,1,smtp.mailfrom=nvidia.com] dkim=[1,1,header.d=nvidia.com]
dmarc=[1,1,header.from=nvidia.com])
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=o/MHqCU6dkLlX9b9Zfyaox/yzzQB5mFt+JhpCYzmBxo=;
b=Ph2FgNzQm9DEvBV2ZmSdi7BOWlaTGsgWcCahvm0RB64nK9Px0EPgTpZEUnQsyDEivKIwlMl9BFDrB7Pj+YxoTZh4Tp9tJbbvZKS3Hwm0i9+rZc5KgptX5EpdK7IcumxfMdu7g3zik1Gwa5KUH6NKr7k9DZnhA8h0Sl+G1j9sMVg=
ARC-Seal: i=2; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=pass;
b=D6Oq57jE/01qzMBdmt8L+kloRVjt9Bm69QX1oZ1BDRMVq9cXxxKKNTWh8qYWiFyo0vl9vWQop3WlbBKCyDY8Wn2uY13OHhZLFNdNO2U05WjZDMxg2HwC8hmHjcu0POlBoYrXlkHc5osSzNIaxC5W8qEQIOl442dQT9GKOT8El6E4DMXlEYX9f8ZS+rdHOHBmF+PsXdkWL/xz+ihJyj2ybAIfpv2/csHXMGlydQ+cfiEKRxSUjm29X2k/1e1/63GW2g8mY3qt9MaEgB6c6QYr6+AClq5UKFKAQ4V8z1DAmIVLV9EncwSuOAfIHfW1HYW9z3Pr+PJoKPticNEgXvj4zA==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=o/MHqCU6dkLlX9b9Zfyaox/yzzQB5mFt+JhpCYzmBxo=;
b=OV+6mGiNGmsCcFL7ltPkDzXZYe384fXLr+Sw+YLMnmo9d/NSD9H+rNMQil4x5F2IamYX+Vds0J+DxmrjH9yRBf0t2n7MKKwVjF86glWeb4Ox/weg8GGR2yVYFJP/dDnxxkHXNTrBC9cLKcmbSoeqDTkJisix+LkE4sHQ77dI1rVOPygistB5xIfSKMOCGcPqpJLlirgu5+rd0nf/5g3vFNHsvGZWwrvzIbQt3U9bMP0oaY+TvIvPDREhkIkSnFXijIjws7pglPqhooUzJqdHklxyyJc5tGIw7usepUfo+XLa2vlmNZUwVdhWWwpXnaE0nYO8v9Dm/TC/F1tfdmgbEQ==
ARC-Authentication-Results: i=2; mx.microsoft.com 1; spf=pass (sender ip is
40.107.243.86) smtp.rcpttodomain=mit.edu smtp.mailfrom=nvidia.com; dmarc=pass
(p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=pass
(signature was verified) header.d=nvidia.com; arc=pass (0 oda=1 ltdi=1
spf=[1,1,smtp.mailfrom=nvidia.com] dkim=[1,1,header.d=nvidia.com]
dmarc=[1,1,header.from=nvidia.com])
Authentication-Results: spf=pass (sender IP is 40.107.243.86)
smtp.mailfrom=nvidia.com; dkim=pass (signature was verified)
header.d=Nvidia.com;dmarc=pass action=none header.from=nvidia.com;
Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates
40.107.243.86 as permitted sender) receiver=protection.outlook.com;
client-ip=40.107.243.86; helo=NAM12-DM6-obe.outbound.protection.outlook.com;
pr=C
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=irCEaRTAD8lkdz6BA1kRdwVweLw1nDREuR68c5m6cK4DuYin/i4o354llt+JQxHAJW3LHy1MoZ8EOBqER8KGs+HpRaBzH3qm99mLLc7rRbPzf9EahYde4/QuRa8qCfUSg1EwzCQkiNF7/HJVB2CBK901GdN845d5nwCPrT/XJMgW0ZGZU0Zn9Da8sgGSdCKWQP462L7FbJeNUAONgQ+T7lLNDjqELof3lXOe+z0YPaXB+JJ0nuJSur9vxH1GSfNNMpNx4GDGczSLowghDPKXVN4zJTJPv9cBRR+iUH8+74xCJGCskcobZtIAefjgJc35elWvaQ6SF+E3jZRCYVJUcQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=o/MHqCU6dkLlX9b9Zfyaox/yzzQB5mFt+JhpCYzmBxo=;
b=MLOpK/MaKCNn00Lyo2Bub7QtTEK4uNOiEjGOPV9V5tbf+1tz9/4+Wm+S5xrpff1idStSasrREaUCXeMS73JVSsXhtJXU8F+DPPFSBEKcstghOuFYTLWJoQA1qGPiIGuL0REN5W5Fhvl3jVnq3VsCF4Vxs3w/E2ZogEwf0zFAZEoT5IDTyYhQW7Q70HFapvL2Ciaj3SFLEANRgjJFp/JbRTDua/jxnPt+19bQeLta/wTmJWk/NdhEy6HjwOdBwzyNnT24RO+SJwRc1ggkQRswBXN3LPVj2yILIi+Mi2XXJXFecrccqyVtjGdIevSuO7dPaGe17yhMcSj1Lby9aAaj4Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
smtp.mailfrom=nvidia.com; dmarc=pass action=none header.from=nvidia.com;
dkim=pass header.d=nvidia.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com;
s=selector2;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=o/MHqCU6dkLlX9b9Zfyaox/yzzQB5mFt+JhpCYzmBxo=;
b=aX/6ROQWGxwOdYqq4Sf9rOc4iMFMYHqk4YghXCK8LCixNPaZIv2jfzzM8tCUOq9N4QHZuzhOVgyKRW7A1xieMxWc0qq85jd0y6uSpQzI8L+nFK7FgGoU9Wz1h8JRkpGIsKfQkoCqn+U6yk5xkAME7XktMKtD0cYjjK+rpwTPKR5HNkZscSAOrAjYkCAVdnDzGIlYD6UHXQJZkET99uwac9qqsU0rnOieoWj2t+SXA7efffaIJJS0NKvcs9qeGOKOOTpuOQ4IG4yp6fkjeqmuDNocYQLBdc3r4uzUhDoBBXMlbnb9sp8HiejWIbzLiSHiF6JIfKLVNTWfkwD2ETZEwg==
Thread-Topic: Kerberos protocol transition with unconstrained delegation (i.e.
TGT impersonation)
Thread-Index: AQHY6cwZbgffnBAsgUKOO4fc2I2bTq4iZgivgAAK94CAAMDRAIAAjK0AglA7b/4=
In-Reply-To: <CALF+FNzsG3Q=w0+KZYHurgDjiNRg252ar6pCa_5=H8kDjAynWA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Authentication-Results-Original: dkim=none (message not signed)
header.d=none;dmarc=none action=none header.from=nvidia.com;
x-ms-traffictypediagnostic: BYAPR12MB2888:EE_|MW4PR12MB5667:EE_|MN1PEPF0000ECDA:EE_|SA0PR01MB6442:EE_
X-MS-Office365-Filtering-Correlation-Id: 1b9bd735-77a5-4321-7c2e-08dbe103011d
x-ms-exchange-senderadcheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: BhzzOF7TdRJnaSOWxsD2pLpmB7AXBexsRtjWFg5bVRI69JWa304hvI2i7nBJ7Swx0H8mZINLVKJWQypFZYah/wOGev/Q5++ugzu5K4j5qO0Lnx7TQW+jJDY3VC6NjDumqcqYirsr4v//dvUCGoqQm+DyUUyRRoJVkGmW3JtfRnin+FE8rYxlm1e/SRYUEKuj5wMTIMnt2WVIOtGGIeycQugce/P40Lo0HpwJsMWPHF7KWVr/OBx+tjaVvcaaU2sbszkD5BxCyEx+Cp9Uc/dOw3+5afmRxtIGLxGSv5t7uMhpcfhVeu03/G9tZRjFQlyQMBrVc34rrOhHOAobArNkpvxxeZ7wuEGG2qAEJonWOm/l4fSOjOa6vSG+l/QHPvz/RciSNf7EnoyikB4B3BY/J2Wbw6EnWbkpIKJVVXBiFciF7igu1sOuuNGWi0vaBynpTe59LbuIVH9bYBMMpPaFGJVxXxsz/816UEg1FpICMz1+o7R3yhv7ao+zUBvYcW3p0fpPoBpnzejcUkv++1fHkPOXNXC8BT/eAxDTW+/Q7wHdbSDMu0Bp8c5B/wekJdhMWcYbNo+wx+W+Uc9PvnrhSNKf6HLA4yi/MeWTO/3fPAkkrH0frX5YFnub5kB0S3s0ojqCgTatPl01EM/qXlHBVg==
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en;
SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BYAPR12MB2888.namprd12.prod.outlook.com;
PTR:; CAT:NONE;
SFS:(13230031)(376002)(366004)(39860400002)(346002)(396003)(136003)(230273577357003)(230922051799003)(230173577357003)(186009)(1800799009)(64100799003)(451199024)(2906002)(5660300002)(41300700001)(4326008)(9686003)(8676002)(8936002)(86362001)(38100700002)(166002)(76116006)(26005)(110136005)(66556008)(66946007)(966005)(52536014)(66446008)(316002)(54906003)(64756008)(83380400001)(66476007)(478600001)(122000001)(33656002)(55016003)(53546011)(38070700009)(66899024)(6506007)(7696005)(71200400001);
DIR:OUT; SFP:1101;
X-MS-Exchange-AntiSpam-MessageData-Original-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-Original-0: noLHWT3jp2N4/OpTQih6ZEOvG9HX/9Mk//I6A3F83x3FxKr4qCzcGW907zJh
4B2pAY8cYvcox17UuuAw26SVF3+aXrohTRuC43dHly3bpF5egO5tHN1yxqyi
OwYHcmAYnPMUCT0vz7pd/e1otppVicdclIMYF+ZIJhD4fyTkI/dF6t1A/PVH
6zk3HNrIuTQ41tvqNJOtFGrZRIp5JtgC6Sm+4vlWPZt7UZD2oP/3UzQtCbEV
ypf9bNTzrs83wx6qE+g8QUklUWwwVFh0zqcLqMU+tYuoGvFcWXjbr/NjfYPs
MbwAwL2dqHY88pBJeZuhp9cLQyrkAlDJg/BMC+oGq3AHa+kDGmM54gg+QoR2
fph0/3++LrwHLSuhPaej9WLMxUp92n7Q3QRfatH2FX4tNdZDO1+OlAhHKbsV
mtHlvV4XA1kxWU6q3xO3LL+jsyHho30btv6I9owu0zkOclxcfny2YJoBPB6U
SGwSLMi3H47TO7KFC8g+Cgk7BcROEDGkX+9aFn0f+pd30RsS5LPbRDhHQLuf
5W4aUEbuncMPv93IAhvXEhQuUGWRFdl6pcyi676FzFypHZ3JkjagsDBWWmFC
ohUtYaMjSUQIhfRqazahbo7/5aPFfk6Q8q37uAV5LcoTJHo9f4uvhUYjY93c
9WTvWl2VAEoAE220bfttH6qezxleg7kcsqVgucx28Qvxd7M1FvNnwIyFAKqM
4AwRFwTTj+fwEuFa5mf6ax047MzooGbL6dDzM6w8zhsUubU4TWooqJoozp6N
ZFuQXUtlHbHH+eVVsxf81+ik8xWCA1eHA1FwbDgpD55/tW1SpUqMN/BcdpIL
QRgiEqtY7fOmY/9fp6JvlMK365SumIu9f9A7S9tGh9E6TULNp2lgjE9yXqOe
G2hEdarkeQNYgrupUzv6YNMlPaO8703VE1oNzaSmrUDimwwUByX4oo4Rig2j
aUApxsz2xiran1vrAsqixbyiqCSj9+woCziN6hZAp0953P3WrJ12P7iR8wYq
R3xDkI/Dcr+cz3095tR5oITcHN+PRFdg6nFQjOcdkI7aLsjjEljpXrTNS8q5
BifS3pW5MekZrVSVzDNAyIBQOc/u6xHPWxasR8pjpUb1G2IZ1fQozDXrQ66X
FWafjBtbM2Gm7b91OR0dVhYGRoo1PnlU6D/ZDGm3RWkhkE1EGgMUEBeW23SA
Pwk6ifNaVKawyv0E9tW1uBwfyUfzsISJn1Os3X3JIBN04D9Wn3dBl6+3NQjP
pdz5DNZfw+FU7o6aBiQ9VUGGtJgctB76kdoe5ElONzeQ1ijRP8ZezDQ9Njhy
3JTHDKyhGbIn26sH/x9RZrgY2+rOvMo0Fv27nW/P+PWg+5LR9jIHr5etkYJY
wMj/3EB+9V7NmBFPuZn3UHwlhJ7qdTPtC2xWgzttTJ7540xL7SRog4NvBzS3
cmzwZbdb8g9Fa6b1boV5IIFFdqy0nneYq3kYK0WFQD3NGUCvJCuwO9m5moCo
RlzpKsByQ/3jo/nt5bCYo6coOvi7cgE155TDP1edxgargfucIoj28JywEzPd
KhvCQWy+1HtTPCfG3zAX7XGIcc2KQ/2lGxO127ZF3uCuTZQVRjEzI3s1t3nK
7w==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW4PR12MB5667
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: MN1PEPF0000ECDA.namprd02.prod.outlook.com
X-MS-Exchange-Transport-CrossTenantHeadersPromoted: MN1PEPF0000ECDA.namprd02.prod.outlook.com
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id-Prvs: c246e8f9-ae94-43f5-9288-08dbe102ffa0
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: GZ7J8DeL99k4X8hxjtUSvQ0P7eVJgR5h19pnpjVGSew3pQXcxbpY5DlJvbolcYAb6rdaivOE6T+g0s0RTZFABxZweU6YEUx58t1lbbkFQckIhosU+cPcya+eOq3jhZgZ/NFziRUY2G3WqCAVPHf8Z/dri9b6gxQ0sEExgU3hfSE25VqshJqXhNbHlCcqxSNhrzyHLgpOfoqXWpq5VSH6VfPgUIxlI9ID7pWh4xnXEddFfjYsHaFPho8+/puoorcVjHAZx/AI+zUIFqpaZsR7niIyqJ/24iIAcDjLTZdEfycZcsEtiHOqUDV8W0Acqs36gVhwm5OIe7E9SdYOkA0NIt+d/bCG3VNQU/NW1gv5GE8JKAF+qvLAIB3VxDLLvyQRzT/m4tjwBMmicKyI/aj10B8ye5D5U//NohM0o5lymmOBntrvqmn3q1P8mvpeTpMbworVikQ8yaq2ynQ9dUqw8NaAtOFHI6rZsCIjCkfDiQo/e+LjbY/zkBtINq6D0K9lNx/Pbi8Dw+XqDTghgrKSUSKyi/J7SMMqQeQJJ2R8+l5qey/N6GJuWpZuRYsWNG+k2EhJNCHsTRyqQ3m55a/aSpHHx78s0kNT8QQcPm/V/GS8v/9d7/oxuUfg7IRB0FkEuYnl4AqMfSfpvMoPlOa4quFoNU3+C1vRr/wOKHsFgZLzlItp2mBNtFdCADXZYHlNRejEp0d7cxalXOxEEJ7HJUFx8qn3l2l2+tiNCtUqL0Y=
X-Forefront-Antispam-Report: CIP:40.107.243.86; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:NAM12-DM6-obe.outbound.protection.outlook.com;
PTR:mail-dm6nam12on2086.outbound.protection.outlook.com; CAT:NONE;
SFS:(13230031)(4636009)(39860400002)(396003)(136003)(346002)(376002)(230173577357003)(230273577357003)(451199024)(61400799006)(48200799006)(64100799003)(55016003)(7636003)(356005)(7696005)(6506007)(53546011)(83320400002)(83380400001)(83280400002)(83290400002)(83300400002)(166002)(336012)(9686003)(8676002)(4326008)(83310400002)(66899024)(316002)(86362001)(33656002)(2906002)(110136005)(52536014)(966005)(5660300002)(70586007)(54906003)(68406010)(498600001)(26005)(786003);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 09 Nov 2023 09:05:22.1511 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 1b9bd735-77a5-4321-7c2e-08dbe103011d
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: MN1PEPF0000ECDA.namprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR01MB6442
X-OriginatorOrg: mitprod.onmicrosoft.com
X-Mailman-Approved-At: Thu, 09 Nov 2023 05:53:38 -0500
X-Content-Filtered-By: Mailman/MimeDel 2.1.34
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <BYAPR12MB288836425E0CEEFBB8509607BBAFA@BYAPR12MB2888.namprd12.prod.outlook.com>
X-Mailman-Original-References: <BYAPR12MB2888DAD8E37405BF96B1065CBB339@BYAPR12MB2888.namprd12.prod.outlook.com>
<87y1t1ntsv.fsf@hope.eyrie.org>
<CALF+FNxW4gXTuS6iBPKaFeLLRoD1Y+-n-Nd-G7-V=W30AOg9eg@mail.gmail.com>
<3c20a908-eced-131e-527d-5b7fab957a68@mit.edu>
<CALF+FNzsG3Q=w0+KZYHurgDjiNRg252ar6pCa_5=H8kDjAynWA@mail.gmail.com>
 by: Jonathan Calmels - Thu, 9 Nov 2023 09:05 UTC

I finally had some time to implement this so here is the link if someone's interested: https://github.com/NVIDIA/sybil

This is a PoC which essentially does what was suggested in this thread. The service can forge TGTs or cross-realm TGTs, although I found the latter less useful since most tool can't deal with those on their own.

I'm sure this can be improved further, but it seems to do the job for the scenario I described initially.

Hopefully, somebody finds it useful. Also, contributions are welcomed if somebody has a slightly different use case in mind.

________________________________
From: Jeffrey Hutzelman <jhutz@cmu.edu>
Sent: Friday, October 28, 2022 5:30:41 AM
To: Greg Hudson <ghudson@mit.edu>
Cc: Russ Allbery <eagle@eyrie.org>; Jonathan Calmels via Kerberos <kerberos@mit.edu>; Jonathan Calmels <jcalmels@nvidia.com>
Subject: Re: Kerberos protocol transition with unconstrained delegation (i.e. TGT impersonation)

External email: Use caution opening links or attachments

Ah, I didn't realize MIT Kerberos had grown the "KDB" keytab method. That's similar to Jonathan's idea of using the kadmin libraries to extract the client's key from the kdb, but didn't require wiring custom code. It does require colocating with a KDC, but I agree with Russ; it's probably best to do that anyway.

-- Jeff

On Fri, Oct 28, 2022, 00:06 Greg Hudson <ghudson@mit.edu<mailto:ghudson@mit..edu>> wrote:
On 10/27/22 12:36, Jeffrey Hutzelman wrote:
> You don't need libkadm5 for any of this -- all you need to print a service
> ticket (even a TGT) is the service's key. Heimdal comes with a program,
> kimpersonate, which does this and could easily be used as a basis for your
> impersonation service.

MIT krb5 has a sort-of equivalent: "kinit -k -t KDB: username". The KDC
is still in the loop, but no password or keytab for the user is
required. (Add "-S krbtgt/OTHERREALM" for a cross-realm TGT.)

1
server_pubkey.txt

rocksolid light 0.9.7
clearnet tor