Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

Staff meeting in the conference room in 3 minutes.


devel / comp.protocols.kerberos / Re: Stateless PKINIT?

SubjectAuthor
o Re: Stateless PKINIT?Ken Hornstein

1
Re: Stateless PKINIT?

<mailman.58.1710444473.2322.kerberos@mit.edu>

 copy mid

https://www.novabbs.com/devel/article-flat.php?id=510&group=comp.protocols.kerberos#510

 copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: ken...@cmf.nrl.navy.mil (Ken Hornstein)
Newsgroups: comp.protocols.kerberos
Subject: Re: Stateless PKINIT?
Date: Thu, 14 Mar 2024 15:27:45 -0400
Organization: TNet Consulting
Lines: 35
Message-ID: <mailman.58.1710444473.2322.kerberos@mit.edu>
References: <8D20D248-822B-47F1-ABAA-9C46B4E99F2F@gmail.com>
<202403141927.42EJRjld032498@hedwig.cmf.nrl.navy.mil>
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="328"; mail-complaints-to="newsmaster@tnetconsulting.net"
Cc: kerberos@mit.edu
To: Yoann Gini <yoann.gini@gmail.com>
DKIM-Filter: OpenDKIM Filter v2.11.0 unknown-host (unknown-jobid)
Authentication-Results: mailman.mit.edu;
dkim=pass (1024-bit key, unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=JjYQz6m4;
dkim=pass (2048-bit key,
unprotected) header.d=nrl.navy.mil header.i=@nrl.navy.mil header.a=rsa-sha256
header.s=s2.dkim header.b=VnCLN/og
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=ijM+AyzudCa3b1FZfPx/j8CvGbR7zsQbtQOgZYgyxKPm5lA34JuAArCyAgGPYq+4+lwei76qGzUrZXU+nwAeXj0MhLj2MVq74qfI6MJ4tBnTKkxf2gAtIrLMuNztXe51IUw89echhhWN3dRWdZTFKfq3e8G2meeVxVIURP1wN5b+8JdzxGaiR1vnf5uv7oJ7ebNiTZEoJfV8SSk48wpj1J+JZFEfzphsLSdOHPhesZkwDZVgctMY9+FtGqDM/oFXj/d30PwMzu767Mc3C6Okr/YOj32lrRhdG9eU4j8JydbVLH5yJfT4sX1NbWCtzfP1yhy47BB7Kcr7/A2rcYVl3g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=4mOJLDsPQxToUjk2QX+64i/Gm1lbheg/TFg7LLOmI4k=;
b=RxuPtJITXSxhWeQ5OtiUu3UCdG2+42ZECDP2rnXZvCj2nV+nAUdVDe4VBJSrPaJ7FO5C+1aKNnJ9LyMvxFEuYEKdBhIkotPJ4+zRj0RkoDhxHWEtXdd8jKH7OYRZDryxWDLRd52wMkH1KvWGLXVmS1q3LbcZy9fGA+zzxyjVP+SqTnOeAyaylRt76fYlxnPKAyUZjXKN0NebHpfpLECx71zpUQ7z3Rjq474Bs5LClxbxt5WnS5MKe6bQSIQseoL6/8a3h8MP8MvYa7Ao0ovko3SH0e54hPph4yhEjlmgRt5xJ/a98P7xUVy4tmxmVhWviU62a8w+tVxqg5wLZQRYNg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
140.32.61.234) smtp.rcpttodomain=mit.edu smtp.mailfrom=cmf.nrl.navy.mil;
dmarc=pass (p=reject sp=reject pct=100) action=none
header.from=cmf.nrl.navy.mil; dkim=pass (signature was verified)
header.d=nrl.navy.mil; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=4mOJLDsPQxToUjk2QX+64i/Gm1lbheg/TFg7LLOmI4k=;
b=JjYQz6m4L5BFRuoWbF/kCuDXWyOi5OUV03lMDiZeWESTpD2yExW+/8TNi5EPQfIRvJz9GsXdddCTwgDkll1yqvD5qOh5UfKedT54QanD4rMQbxqTX6xMOWnincecSeESTWBCYYQGmEztlS8ZRFy+4Nk7NoXPVgpEh2Z9p3A5a/A=
Authentication-Results: spf=pass (sender IP is 140.32.61.234)
smtp.mailfrom=cmf.nrl.navy.mil; dkim=pass (signature was verified)
header.d=nrl.navy.mil;dmarc=pass action=none header.from=cmf.nrl.navy.mil;
Received-SPF: Pass (protection.outlook.com: domain of cmf.nrl.navy.mil
designates 140.32.61.234 as permitted sender)
receiver=protection.outlook.com; client-ip=140.32.61.234; helo=mf.dren.mil;
pr=C
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nrl.navy.mil;
h=message-id : from :
to : cc : subject : in-reply-to : references : mime-version : content-type
: content-transfer-encoding : date; s=s2.dkim;
bh=4mOJLDsPQxToUjk2QX+64i/Gm1lbheg/TFg7LLOmI4k=;
b=VnCLN/ogdvtS12BKW2SuokqZ5DL8PeRzvaQKP0Ahf07BCVeIZIwVZjFXS86hs5soRfTa
crp2WUAsJPivpr4degM1pikdfAibnYIioY2vY4ne7+KEIKlRQDzmxBeaX5OFv1fPTtCg
wmFM7LpXebUCcwceojveuHzuoV+MErWVCrFmiFtDPysP/La67AuXB9SYYeBnnaw8+2kJ
jMNIrM5vOniWCD4LDxErHaB3EqBAbWkH/0OtxIPkKC0dtdLPawj4SOGcUNc8f4mEd6bf
wEz0lA9mSvHdaANl0jCAZpNkUccdHAVkEshbaU5+ipK6R12rEvwnG6vwWdxwPDL39tOp rg==
In-Reply-To: <8D20D248-822B-47F1-ABAA-9C46B4E99F2F@gmail.com>
X-Face: "Evs"_GpJ]],xS)b$T2#V&{KfP_i2`TlPrY$Iv9+TQ!6+`~+l)#7I)0xr1>4hfd{#0B4
WIn3jU;bql;{2Uq%zw5bF4?%F&&j8@KaT?#vBGk}u07<+6/`.F-3_GA@6Bq5gN9\+s;_d
gD\SW #]iN_U0 KUmOR.P<|um5yP<ea#^"SJK;C*}fMI;Mv(aiO2z~9n.w?@\>kEpSD@*e`
X-NRLCMF-Spam-Score: () hits=0 User Authenticated
X-NRLCMF-Virus-Scanned:
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: SA2PEPF00001506:EE_|SJ0PR01MB6384:EE_
X-MS-Office365-Filtering-Correlation-Id: 9f0d1fa9-b79a-499c-a775-08dc445cd53e
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: abM+1qhqqIViZ0WNH6T3KwfHxC68MEXWJfO/V76MlzGR9baM5OmmpqIQjMM1R2lhXJLS9YDabLSk7gG+2yxwDc2GOc3FcrWXOJmi1xgKPXPzr3SxHGgrGe0XtYBSRNt4vMC5JRO2+7BH7Cx4l/TbwaApsdE1puIyOdhJSOV28DzJ3Ta+iP50xVjszQwPYJgikwvVxj2UpdYbi5S1YTB8nmdbdBNIJtAm0tg6fsuHSJQuW+wGRPIfvYN2N+4xya9eBwJDIrwPXcxuNi/6G8B+5BSLtwofBqvEXkAq4C+HACP/JlzRwJvhCZDy7m6/3vsHRw3Xs/xrgsmlKnzYiQRfc+gcvGdvnmVhpfkOqK7cCz9cJ2ou00PDfV49vAG8IPHK+YUFdSqn2mqmqLlF3mRXAqGM0Jgz9tCkoZz+HeRUl1FClFr5ctKwkEPThrFhP6xZyeByEW9Zr87PBDWuKtiwlovrf7RwTK5Ib7XvyElWxGV5VrErfEjwxjDp02P2lpEL65S8w/OzVWQ38qusDhkaAPRrtcHvnMBbvReGUwhVoermsiS2ZR0YvoY7+VqT9gHMj+IUjz1eKGcsmnSlAeUaWwFWrxC7mjdCcwb9M0xmqmuum6OXLa4hDZr1BU1JV0KRZozC5ugN0G2sO8B4fnf6rQ/ZpV72mtN25T1htcZygg8t1SGiZGRLDO9w8a/bgrx69087BVXLXFin2g8x0uOLjcZDYrn2k9aF8UTUVFJcDr87XocYv1TUAqffnul1zCyv
X-Forefront-Antispam-Report: CIP:140.32.61.234; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:mf.dren.mil; PTR:mfw.dren.mil; CAT:NONE;
SFS:(13230031)(376005)(61400799018); DIR:OUT; SFP:1102;
X-ExternalRecipientOutboundConnectors: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-OriginatorOrg: mitprod.onmicrosoft.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 14 Mar 2024 19:27:48.2913 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 9f0d1fa9-b79a-499c-a775-08dc445cd53e
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: SA2PEPF00001506.namprd04.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ0PR01MB6384
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <202403141927.42EJRjld032498@hedwig.cmf.nrl.navy.mil>
X-Mailman-Original-References: <8D20D248-822B-47F1-ABAA-9C46B4E99F2F@gmail.com>
 by: Ken Hornstein - Thu, 14 Mar 2024 19:27 UTC

>Is there a way when using PKINIT to not need any internal list of
>principals but to rely on the validity of the certificate to proxy the
>certificate identity into the Kerberos ticket?

I know what all of those words are, but I'm unclear what they mean all
together. I think you mean _this_ step:

>— the KDC need to issue the needed TGT then TGS based on the identity
>in the certificate if CRL is OK

To get a TGT issued you need to send an AS-REQ, that's going to have
a client principal in it, so normally that's already done. However,
you are allowed to set the canonicalization flag as part of the AS-REQ
message and the KDC can change the client principal.

Note: this is where we reach the limits of my experience, so other may
correct me on the following points. Also, I'm limiting my speaking to
the MIT Kerberos implementation.

It looks like there is some code in the MIT KDC to perform such
a lookup; the database plugin API contains a function called
krb5_db_get_s4u_x509_principal(), which takes a client certificate. But
neither of the current database implementations (db2 or LDAP) use that
plugin API today. Note that third-party code may already exist that
uses that API, but I am unfamiliar with it.

It looks like if you go that route you have to add that certificate
to the client request outside of PKINIT. In either case I do not
believe you can actually just stick the SPNEGO API as that PKINIT
would require initial ticket acquisition.

It feels like a large number of the pieces are there, but I am not
sure it's going to be turnkey.

--Ken

1
server_pubkey.txt

rocksolid light 0.9.7
clearnet tor