Message-ID:

All Finagle Laws may be bypassed by learning the simple art of doing without thinking.

devel / comp.protocols.kerberos / Re: Stateless PKINIT?

Re: Stateless PKINIT?

<mailman.60.1710497733.2322.kerberos@mit.edu>

https://www.novabbs.com/devel/article-flat.php?id=512&group=comp.protocols.kerberos#512

copy link Newsgroups: comp.protocols.kerberos

Path: i2pn2.org!i2pn.org!news.quux.org!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: yoann.g...@gmail.com (Yoann Gini)
Newsgroups: comp.protocols.kerberos
Subject: Re: Stateless PKINIT?
Date: Fri, 15 Mar 2024 11:15:14 +0100
Organization: TNet Consulting
Lines: 58
Message-ID: <mailman.60.1710497733.2322.kerberos@mit.edu>
References: <8D20D248-822B-47F1-ABAA-9C46B4E99F2F@gmail.com>
<202403141927.42EJRjld032498@hedwig.cmf.nrl.navy.mil>
<eacd921c-8033-49fc-8521-7b0f5be2f297@mit.edu>
<15626AF7-93B5-47CA-84B7-A6CF967015A1@gmail.com>
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.500.171.1.1\))
Content-Type: text/plain;
charset=utf-8
Content-Transfer-Encoding: quoted-printable
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="28768"; mail-complaints-to="newsmaster@tnetconsulting.net"
Cc: Ken Hornstein <kenh@cmf.nrl.navy.mil>, kerberos@mit.edu
To: Greg Hudson <ghudson@MIT.EDU>
DKIM-Filter: OpenDKIM Filter v2.11.0 unknown-host (unknown-jobid)
Authentication-Results: mailman.mit.edu;
dkim=pass (1024-bit key, unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=aAWJX3tG;
dkim=pass (2048-bit key,
unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256
header.s=20230601 header.b=hen5P4wa
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=aNHWKnQeq/VDMwJZm+oXfvJRgC1V9W/vDriwpybchHRXxC5r87BkGh5gNb3TOhqxJlEQGFq+m1ulPdrCZvg0QA5mPJCJVMv1jfeu99ZD2Z3Sda3R79a9ggwBmkNsyw9zkdbyvSXe6Z2q2Yyjg7F2hsYNeFyHedjuctveNJOglgXUM6/V5u36I88tX4LaHFhoo82atxPXKz1/21rEiOSvqVzLCUIZGKEzzpXFqPBS1QWptqTusct7EcqEA1PqD7reBfyqsKcwBR6xOotMjXQqN/V8rMJbkBSMqLhNRVBq7P8E+ebb3Z5auQ/JE7XQD0Vth5S/MHu/jr1GdZpScNbVTw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=viW7/cfTG3MeSr8UNoTrYvpGjD08wktuS+VMn5HGM0E=;
b=NpWt0v/nQTxB6TrFg9myRMsPuSjTCA4dCjKJRlKMWf0gZuJ3nGeZvMGACvNbyVxgbnkOGmY8hX5kkmwRiA58sxMFcJz1raMUjVDZ9iR82lQM77mKL/pxZgsnrJ/MKI0XUOZb7v4ZP8wcRQClQGLTrUaCEkVEakmEv09LNaHIEQBmKht6wTSP90h4vsrQqeXqrTVji228sqk1Cdsjc7wIvsCLbJ8dU5aB1VZ7f9X6FWl+SrSv8kLAGM3IbsyddfaITo1al5HAcYZ+VcyNkNdLOX65imr4QDqnDSezTMQO918TUg6qf3kXmPqS9OGgg4rEzZcmfTM87wbyiwuTytdmsw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
209.85.128.43) smtp.rcpttodomain=mit.edu smtp.mailfrom=gmail.com; dmarc=pass
(p=none sp=quarantine pct=100) action=none header.from=gmail.com; dkim=pass
(signature was verified) header.d=gmail.com; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=viW7/cfTG3MeSr8UNoTrYvpGjD08wktuS+VMn5HGM0E=;
b=aAWJX3tGfGwOXj91FjO9Bwl9deQA/xtUUa/ThXfaC+lsXjuYlfJCAutJTAsyHHOW6lg20homwaaIlVnngmZFklz0K19nwb7YqIp6odMeCJuyZ0D86uriaiVIW96nIJRPIbRCD8TRUrbLqGRVlt2aR5h7b44paI+yzmsKTpBFM2A=
Authentication-Results: spf=pass (sender IP is 209.85.128.43)
smtp.mailfrom=gmail.com; dkim=pass (signature was verified)
header.d=gmail.com;dmarc=pass action=none header.from=gmail.com;
Received-SPF: Pass (protection.outlook.com: domain of gmail.com designates
209.85.128.43 as permitted sender) receiver=protection.outlook.com;
client-ip=209.85.128.43; helo=mail-wm1-f43.google.com; pr=C
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20230601; t=1710497725; x=1711102525; darn=mit.edu;
h=references:to:cc:in-reply-to:date:subject:mime-version:message-id
:from:from:to:cc:subject:date:message-id:reply-to;
bh=viW7/cfTG3MeSr8UNoTrYvpGjD08wktuS+VMn5HGM0E=;
b=hen5P4waHAIcqJUM6BpA47Y4YHA/tx7i8hgdxu70VkPqA84JaQ35zzNbCdiZaI4gf1
XuruSI9I14BqV/BLv1fLsGCilOokcNsaNIbT67ex+t6RCwkkW10YmsmCz1lOZIoZMYze
wY3366jsAbnlEl4pX1sKEMPrcjFPdpoAb+ZOQjQdQK1iYVPKNVOrMakgldJ38z6KrJ9Y
8U0z4li9OeRaIrqJxg6uT+akVm+pIhWwENoaCOCGNp+C/jmOU7fW8KpuilMchDZJVKq+
rlEz3VW6+RIIDEc6TidBsh5GM9L01+k8FOLMJojJH5He8g3Lr3C5vsfP7QqNsuTJUMQG
vraw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1710497725; x=1711102525;
h=references:to:cc:in-reply-to:date:subject:mime-version:message-id
:from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
bh=viW7/cfTG3MeSr8UNoTrYvpGjD08wktuS+VMn5HGM0E=;
b=Y6LLl2bHvqmd7wrDowWZfaQhzQG/GUgLHiDJieWXGuUHUucHAfdwRU3cPWhPS47Gz5
XzZzGHxXJKz5b6Vm/ABaHliGT5EHUL579I7cqeqe+g/zcw23sC+VdlBBrWMMl25aEg+3
iOsXx8PFGVyAr3qmBOrroaFMjCi2/K2OdgzdeftOXMvajuxls51k0WA03KP8iAUFB3s2
cvEjUM0j3IYO4UiKhxpWJRbF8dbnzTxVCftfdQyxHq4T9fvsZ37ZKW6OL5jA+Boz0KBO
m0w3nW99x0IWKUhb1PdCzwWT4eAnbRZqCWpq5pbyFHH1MSplYqM2VW//M1YuYgtHUmQd
+Dcg==
X-Forwarded-Encrypted: i=1;
AJvYcCXo1iy7fPlHRiOIZNkcf0O+JqnotLfZNBmRGN8X/wYEdTVMLdyFQzxPBDFW6GEtj6AQ+oG/odE8bVwD3TurVxdX
X-Gm-Message-State: AOJu0YxwY/8hVHwCNszKqVsEdx1ow1UwzJVSZQymW5fcW8ZZOqh3cZMf
VsSoPiNiY8f92P/RS4fNJjvJ7K3axoQYJA/o4PBRb6yI6BK4Hl9kxotcoEbQ98g=
X-Google-Smtp-Source: AGHT+IEe1/k5lhS1QNtMCXx4SvoqXyXUYF40lyP4Z/LZuo4jFg483GYU/tKlZMo/5hRm+LcFYDoh3Q==
X-Received: by 2002:a05:600c:458d:b0:412:9b49:11f with SMTP id
r13-20020a05600c458d00b004129b49011fmr3429906wmo.2.1710497725183;
Fri, 15 Mar 2024 03:15:25 -0700 (PDT)
In-Reply-To: <eacd921c-8033-49fc-8521-7b0f5be2f297@mit.edu>
X-Mailer: Apple Mail (2.3774.500.171.1.1)
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: BN1PEPF00004680:EE_|SJ0PR01MB7314:EE_
X-MS-Office365-Filtering-Correlation-Id: f9b2567b-1335-407b-7e4a-08dc44d8d580
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: XAFnryUBvx8kXBi/cb0Crw7VJcBkmvhvlGT5Toj/RhpYIYdH0jaE3kUFBb64RE/WDCLYupyPSbkJ8ZDSVS25DuaNPDJUjF09ICNs/B7PmJ07yq3JPv2GjyZ6r5rBMc3vMvV65nufZ9JWgKxVrFaPEbNoEY27r9U2i9Fbtzxo5hEhw3WYraZg+U6igfZWRjRtb+lBBh/GCRKNj9Ft11kPdRw7xNEj9nzfNZodDxnZaKbtIpfkdGidHMXxpFiAE/LZxE/1Qj/tV5ug1UeB2s9cFlddfTDZhmFLsW9oBexwBP3hzSOG3lCbBWrsIl/Sg+p+OxgdxCIa/pFuVtgWmAjgAn6VZBOgBBfd5EA6Y7fuGsTfvzY0cZnAtc9xBxf5mWDg1oGKSalHBlXvM0v4HW8utVlOgT5Duc16Slw3b9fWf63XjxHd+rbivfriENdLLHW1qULJ7oEpDKVE59vwfjQ8kMT75eV14Ep69ujHnxSwJiedp8rI5Zk8FDUcjNtSXEIpTMfeYBMvRwsN85Z2IICd0bG82f9lIAaIxySEWZZF9ItSPErgZEoTn8zKv1sBehglJVaiBuODXQf02Sfl7Ap5c7+HmD3daceFY6Mux7Ye0U8y0QajI9G9DaDxOfR0nFXjGIWM92s+l0duG+siziUMcQDElaBVFWvzjpmsHEMoK0EJAg4MJKFDybNj/t3Rl1XiyXO0z51rD9OqQcv8/eGX26COCX04n5KfzpGibNjBkt3fQSMPs6SiiUifQL2bR5qE
X-Forefront-Antispam-Report: CIP:209.85.128.43; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:mail-wm1-f43.google.com; PTR:mail-wm1-f43.google.com;
CAT:NONE; SFS:(13230031)(48200799009)(61400799018)(376005); DIR:OUT; SFP:1102;
X-ExternalRecipientOutboundConnectors: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-OriginatorOrg: mitprod.onmicrosoft.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Mar 2024 10:15:26.5204 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: f9b2567b-1335-407b-7e4a-08dc44d8d580
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: BN1PEPF00004680.namprd03.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ0PR01MB7314
X-Content-Filtered-By: Mailman/MimeDel 2.1.34
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <15626AF7-93B5-47CA-84B7-A6CF967015A1@gmail.com>
X-Mailman-Original-References: <8D20D248-822B-47F1-ABAA-9C46B4E99F2F@gmail.com>
<202403141927.42EJRjld032498@hedwig.cmf.nrl.navy.mil>
<eacd921c-8033-49fc-8521-7b0f5be2f297@mit.edu>

by: Yoann Gini - Fri, 15 Mar 2024 10:15 UTC

> Le 14 mars 2024 à 21:56, Greg Hudson <ghudson@MIT.EDU> a écrit :
>
> On 3/14/24 15:27, Ken Hornstein via Kerberos wrote:
>>> Is there a way when using PKINIT to not need any internal list of
>>> principals but to rely on the validity of the certificate to proxy the
>>> certificate identity into the Kerberos ticket?
>> I know what all of those words are, but I'm unclear what they mean all
>> together. I think you mean _this_ step:
>
> I believe Yoann is asking for a KDC configuration where the KDB contains server principal entries (including a krbtgt entry) but no client principal entries. PKINIT does not require client long-term keys, and other client principal fields (except for the name) could be taken from a template entry.

Exactly

Informations about the principal (name and everything) could be extracted from the certificate. Principal and certificate contains the same informations.

> MIT krb5 does not currently have this ability with the built-in KDB modules. It could be done with a custom KDB module, but that module would also have to provide all of the regular KDB functionality for the server principal entries, and the KDB interface isn't designed to be stackable (meaning it isn't trivial to implement an overlay).

OK, no overlay is a limitation here indeed, it would have been the best option to mix template based response and internal DB.

> Alternatively, I think it would be a relatively simple change to the core KDC code to support this: do_as_req.c:lookup_client() could look up a template at a fixed name (WELLKNOWN/CLIENT-TEMPLATE or something) if the regular client lookup fails, and substitute in the requested name.

That's an idea. Branching core product is always a impactful option for the future when it's time to follow main branch evolution, but that could be an option.

Other option I wonder is using the LDAP backend to answer dynamic content (we have an LDAP gateway in our codebase, so we can use it as a backend API between MIT Kerberos and our identity store).

Doing so the main issue would be to know what Kerberos need to write, to handle it. LDAP Gateway for read only is easy, supporting write operation however requires more work to ensure we handle all supported scenarios by the requesters.

I guess here also, it's not possible to use normal DB for R/W and LDAP in RO?

Best regards
Yoann