Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

"To YOU I'm an atheist; to God, I'm the Loyal Opposition." -- Woody Allen


devel / comp.protocols.kerberos / Re: Stateless PKINIT?

SubjectAuthor
o Re: Stateless PKINIT?Greg Hudson

1
Re: Stateless PKINIT?

<mailman.59.1710449807.2322.kerberos@mit.edu>

 copy mid

https://www.novabbs.com/devel/article-flat.php?id=511&group=comp.protocols.kerberos#511

 copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: ghud...@mit.edu (Greg Hudson)
Newsgroups: comp.protocols.kerberos
Subject: Re: Stateless PKINIT?
Date: Thu, 14 Mar 2024 16:56:37 -0400
Organization: TNet Consulting
Lines: 32
Message-ID: <mailman.59.1710449807.2322.kerberos@mit.edu>
References: <8D20D248-822B-47F1-ABAA-9C46B4E99F2F@gmail.com>
<202403141927.42EJRjld032498@hedwig.cmf.nrl.navy.mil>
<eacd921c-8033-49fc-8521-7b0f5be2f297@mit.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="16487"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Mozilla Thunderbird
Cc: kerberos@mit.edu
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>, Yoann Gini <yoann.gini@gmail.com>
DKIM-Filter: OpenDKIM Filter v2.11.0 unknown-host (unknown-jobid)
Authentication-Results: mailman.mit.edu;
dkim=pass (1024-bit key, unprotected) header.d=mit.edu header.i=@mit.edu
header.a=rsa-sha256 header.s=selector2 header.b=SMCAkLNi;
dkim=pass (2048-bit key,
unprotected) header.d=mit.edu header.i=@mit.edu header.a=rsa-sha256
header.s=outgoing header.b=TCgvFGRx
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=YF2pY42ncAEeCPUpj5T7qwtFrCIcI+F2aDe7rh7gBTM/DIR6/jnJBSsqdt+yrVPkOck4gX+WhqwiWbKMdanDM2X4JaBPzyj2RKoP/vG5bSoNT9g6RXep4A+7gpYlizdHW9/Zxkf5n2mm86LJ90d0oDCXCjlQgqiUqqzlvmFWGc/BhVu1ZGbUyXEobiUK2dk8rMDIvllWdaSHPyARXTOlZPXVgsojLOXSszFv7syMv4qSoPk5ORF9+A4Ov8URTiZBNrOk84rdenIjchuOuOWIrFCOPsyF8HZrDmaBg7qd7i3wfKc8raPB9joEommuq2j8SCJY4ZG1W49fcNxU4jynYw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=cjtWPyHaVvp9DTI12/7qXHTa+vX8rb/4hoDdlMn1tHs=;
b=c/xHHwt0qAKLMeZRfBMHWrm9+yD9xj4mTfqx2ZM5xj0k7DDbIAlMImUh2ka88JRzWkdSjsX8yjYYqn2VBnBT2PbKvhjMLLKLY2fUsNy7PB67GBpYsvlpzbcqcCM2sojHCQUcyuyQQzXNHSEGB6PxiGQjCcDBuWxKXt6XhK0Hwm51tG4RRaLUXuYZ6L933xyBimbLKUj5oXhmm43+O4KvffBU3eA2rKFKocM4FNql52S5EgNmZmSsuEhn+wodOIW0Rj0WZMlgKSYjOUARD/gnfju47caDPnCkN8tiJHAlpnJuXPAL+v7LacfsO7tRocF9iCxtBYwgZD+PTnc1hOsoMw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
18.9.28.11) smtp.rcpttodomain=mit.edu smtp.mailfrom=mit.edu; dmarc=pass
(p=none sp=none pct=100) action=none header.from=mit.edu; dkim=pass
(signature was verified) header.d=mit.edu; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=selector2;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=cjtWPyHaVvp9DTI12/7qXHTa+vX8rb/4hoDdlMn1tHs=;
b=SMCAkLNiF9I+yxD6xUMk4LXgOg3ogpLxW9BpWLHuDO7Mp57QaQb5qRdHBXmoIXTdsT1/kTOi9JJn9fQelf9FnCOJ5bbFK7EiMIG6GSVCCMxkbSbGWY0/g7F2CInF+9LpGHZUc1mUygaqwhPPTnL1fygTE0goLN8MRyUQMLzDjiQ=
Authentication-Results: spf=pass (sender IP is 18.9.28.11)
smtp.mailfrom=mit.edu; dkim=pass (signature was verified)
header.d=mit.edu;dmarc=pass action=none header.from=mit.edu;
Received-SPF: Pass (protection.outlook.com: domain of mit.edu designates
18.9.28.11 as permitted sender) receiver=protection.outlook.com;
client-ip=18.9.28.11; helo=outgoing.mit.edu; pr=C
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=outgoing;
t=1710449800; bh=cjtWPyHaVvp9DTI12/7qXHTa+vX8rb/4hoDdlMn1tHs=;
h=Message-ID:Date:MIME-Version:Subject:From:Content-Type;
b=TCgvFGRxAwYchFcdUJlv46LWAkuxFzw5ePrYU3ZcU3FqonqzRA4yff0qxtjTpREAb
fFr5kj53ufbCc98ISpMUd5ZEyNmLF9Yf5zKkHj+zl6bfPa9CTfvqphavIGza2ctFTP
cAhg6FzKx6kDMkZ0fwiBY0cTvkpYy1W+Ioq2jqegrnRDg6uSqCrP7PCaET4QIkOwIh
o7F4nMgi/+6xL4BcitvoGlcFEB/JjBeMQ5zphue+4/hYC0OHugvYJi+smkTMlO76lF
ZU5muocoEWRiW/gZr1Mq812TCqT7MepAHMMlVmDpZuMs4pV4RVHhElzuUDg8fB/LT1
SanmP2C5n0BSA==
Content-Language: en-US
In-Reply-To: <202403141927.42EJRjld032498@hedwig.cmf.nrl.navy.mil>
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: BL6PEPF0001AB4E:EE_|PH0PR01MB6602:EE_
X-MS-Office365-Filtering-Correlation-Id: 04148aee-2252-4380-0d5a-08dc44694108
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 6k/UeWfOGpXXXP1O//y10mfkiWjJaeYUCAZIdYmSZMJjTL+ZO1Osxr5WmHbvrIrx6Z3qtT7AcE75SefHSAu/NYzA79uOt7D7koMdCCd2vGBy/ySt1+fcOPxs2oQj2oLOWr+bU0CvkM6BXLYJvOmm30xfZGh52mlGHNFQdBsCO2tbM8bWOEeB4qJdDKGkff7GBlhf3o3u1+wRUAE6Aaf4aIBrHaRGV70zCjNkp0Qzm5N6km1Oof+Nw37nzPGuZW9sFe6nJq5jlOFN4CNH9i+qfk6Q3/F3rL8t9z/AQ1KtoesDu56ahXW08n9uJwGV0w4poI3dAGZ0TVJU5648LH+Clgtm6Zl4lMmyUeNUNXH/Nqz6L25nuaDXA5hMN2YmGOQacqEEGVu2QFAknxhsw5aOH1XtCmrStLqU+/ZmbmxHP5qi6B6JF6a9chVn7hFhssvY2zb1AOncmYjqK5JE4UFEqvJofRYVsq/+egpEN4cbyFsunxdrvwdBL3Gz2mNAPi5c283fu1rX9oFYhOf1pJ1nKVdfflCSJE0V0CIoP/vJxK5o3FFjuo02schSfB5y2Ka2trG2xmqaluyOGB0Q2/kaeyJAd5FIWQMG5ffJyYL0hr2chffKA2w7rIj+FoKnRDQARfH9FalAZNL8zASz+bzQnO9WtFUrjcgCCzVW2SL8FUg3Q08n8cosRTFaN0vqPlZN31Ikkv8iXqEMLaKDtT5MDMZTodXAj2s+XI6q3fYLKQt7+6CSIy4la8N26/n7gumgUxSLRQ0xmpzSeqVYP0XLWOM9gBneFICajyoQTYu8vso=
X-Forefront-Antispam-Report: CIP:18.9.28.11; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:CAL; SFV:NSPM; H:outgoing.mit.edu; PTR:outgoing-auth-1.mit.edu; CAT:NONE;
SFS:(13230031)(1800799015)(376005); DIR:OUT; SFP:1102;
X-ExternalRecipientOutboundConnectors: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-OriginatorOrg: mit.edu
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 14 Mar 2024 20:56:43.1506 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 04148aee-2252-4380-0d5a-08dc44694108
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: BL6PEPF0001AB4E.namprd04.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR01MB6602
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <eacd921c-8033-49fc-8521-7b0f5be2f297@mit.edu>
X-Mailman-Original-References: <8D20D248-822B-47F1-ABAA-9C46B4E99F2F@gmail.com>
<202403141927.42EJRjld032498@hedwig.cmf.nrl.navy.mil>
 by: Greg Hudson - Thu, 14 Mar 2024 20:56 UTC

On 3/14/24 15:27, Ken Hornstein via Kerberos wrote:
>> Is there a way when using PKINIT to not need any internal list of
>> principals but to rely on the validity of the certificate to proxy the
>> certificate identity into the Kerberos ticket?
>
> I know what all of those words are, but I'm unclear what they mean all
> together. I think you mean _this_ step:

I believe Yoann is asking for a KDC configuration where the KDB contains
server principal entries (including a krbtgt entry) but no client
principal entries. PKINIT does not require client long-term keys, and
other client principal fields (except for the name) could be taken from
a template entry.

MIT krb5 does not currently have this ability with the built-in KDB
modules. It could be done with a custom KDB module, but that module
would also have to provide all of the regular KDB functionality for the
server principal entries, and the KDB interface isn't designed to be
stackable (meaning it isn't trivial to implement an overlay).

Alternatively, I think it would be a relatively simple change to the
core KDC code to support this: do_as_req.c:lookup_client() could look up
a template at a fixed name (WELLKNOWN/CLIENT-TEMPLATE or something) if
the regular client lookup fails, and substitute in the requested name.

> It looks like there is some code in the MIT KDC to perform such
> a lookup; the database plugin API contains a function called
> krb5_db_get_s4u_x509_principal(), which takes a client certificate.

This KDB method is there to support S4U2Self requests where the
requesting server presents an X.509 certificate instead of a cient
principal name. It

1
server_pubkey.txt

rocksolid light 0.9.7
clearnet tor