Message-ID:

"Not only is God dead, but just try to find a plumber on weekends." -- Woody Allen

devel / comp.protocols.kerberos / Re: Stateless PKINIT?

Re: Stateless PKINIT?

<mailman.61.1710519472.2322.kerberos@mit.edu>

https://www.novabbs.com/devel/article-flat.php?id=513&group=comp.protocols.kerberos#513

copy link Newsgroups: comp.protocols.kerberos

Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: ghud...@mit.edu (Greg Hudson)
Newsgroups: comp.protocols.kerberos
Subject: Re: Stateless PKINIT?
Date: Fri, 15 Mar 2024 12:17:44 -0400
Organization: TNet Consulting
Lines: 28
Message-ID: <mailman.61.1710519472.2322.kerberos@mit.edu>
References: <8D20D248-822B-47F1-ABAA-9C46B4E99F2F@gmail.com>
<202403141927.42EJRjld032498@hedwig.cmf.nrl.navy.mil>
<eacd921c-8033-49fc-8521-7b0f5be2f297@mit.edu>
<15626AF7-93B5-47CA-84B7-A6CF967015A1@gmail.com>
<faf7c1cd-c87c-42c4-a300-83bf177d55fc@mit.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="28396"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Mozilla Thunderbird
Cc: Ken Hornstein <kenh@cmf.nrl.navy.mil>, kerberos@mit.edu
To: Yoann Gini <yoann.gini@gmail.com>
DKIM-Filter: OpenDKIM Filter v2.11.0 unknown-host (unknown-jobid)
Authentication-Results: mailman.mit.edu;
dkim=pass (1024-bit key, unprotected) header.d=mit.edu header.i=@mit.edu
header.a=rsa-sha256 header.s=selector2 header.b=aaEzy4ft;
dkim=pass (2048-bit key,
unprotected) header.d=mit.edu header.i=@mit.edu header.a=rsa-sha256
header.s=outgoing header.b=LwreTEMT
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=UM8BzwZ4qDVLIhgpdvZAdJnDA24mtA5TBXkyvsTvZIs8haO10sPmiTxs2B8Z1N/JY7T0Cf9O2mh3xo/g4r85IDbB3A/eVssMo/Qe4RSWPbw/YW/Kf29GwzXaoQyDXpxBsyUh/myDwIIIWu77njm4cB+3PTa0lndyj8oPGXi5B7khsF7G/Zgo8OTx/X0Gskvb7oe4dVaHkwuJveE7XwJpZh3rgcx8TL2JlEVXkcj2aEFZsa6KfqZ5I4hDX8yjdUEjG4bvpe3Aq635Iymy7vabK0yxG8vRSiJWJ+xCdeC/atAZ0rJ/1BywbDMNbqXwRVAr8zmUiDsLaJdr3dktE3RNTQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=SZxxUkhW5bD22c81ERFT/jMZqd2WbHxynDefHtYxYoc=;
b=LoQJ6lc9kUtgo+3lI0/hGRtSdZFhcfZOeBq7PTrDKUAvlBbnd5eyor8IJrvPEtkN0h3LfzMrJrfPT93p6CVI3JfNCFz584KCc7ovrWH89b4eNWY4RubU7qvi2vO2iNKHJDdsvYFN6ieCsQgtsi0DERKTPykF2wiD7jyS8SuyYskPmLEsZcSKDFkgmwvamMHtzRyD2lySnlDDYUbyV1YnmD/8UJ1Inq20Bgv3RSGQuSAE3ny66oDbJTzo2jMD06DhY7R+NKjFYQF6KdX+2BmaCjnd+jgiY/WgRyV7zYwSAowYgW1ssJ78Ps6htQRorU9pY5kZbvrAvGF+NnkY4lKlsw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
18.9.28.11) smtp.rcpttodomain=mit.edu smtp.mailfrom=mit.edu; dmarc=pass
(p=none sp=none pct=100) action=none header.from=mit.edu; dkim=pass
(signature was verified) header.d=mit.edu; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=selector2;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=SZxxUkhW5bD22c81ERFT/jMZqd2WbHxynDefHtYxYoc=;
b=aaEzy4ftFWW8R7QUEd/Ypobm6XCy3ssWvCgWcpNgKJ5Xh4CPax2A2Fa7K4sFLAK/5DbinhrQBO497m948yuo6/ChY4U4002pEQy5BIZy45WRMFHxpFdQCJDlZ6Wm0q8VG+BcNIQ0GnapnBaHqI9DLFd+DZo7p40MOooxMEiiiMc=
Authentication-Results: spf=pass (sender IP is 18.9.28.11)
smtp.mailfrom=mit.edu; dkim=pass (signature was verified)
header.d=mit.edu;dmarc=pass action=none header.from=mit.edu;
Received-SPF: Pass (protection.outlook.com: domain of mit.edu designates
18.9.28.11 as permitted sender) receiver=protection.outlook.com;
client-ip=18.9.28.11; helo=outgoing.mit.edu; pr=C
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=outgoing;
t=1710519466; bh=SZxxUkhW5bD22c81ERFT/jMZqd2WbHxynDefHtYxYoc=;
h=Message-ID:Date:MIME-Version:Subject:From:Content-Type;
b=LwreTEMTxc4BKomHT4TH6MsAm7Qta8u8tIYmyZTIM/FUlyKvdYY5AzNHNBOq9zf1M
XCVPFUyOVWzFxp+ZlHMBaXLghoEjSF6DjyBotbiKAEdB/qoNhVWBu4JqFNk7HZPmtC
9OSaRIWDRgzt3zan7Nw+XAmRUo4jbcdvEfM+qC/LvMpYkBjbhWCJGmiBPkxr1ySE3T
7JU7JIzFSBX8oNcgnOBLmzIXTbAxTwX943AYhDW+wUT1fYQ8bhObDSjjhINXl/kQOS
a7N/vM2OpM6wVysacG+6P1U05XT1YQtfPkx2BzZ56+9qhD4euPkzICj9UTkl0o8VJZ
66Qy3uP11EVug==
Content-Language: en-US
In-Reply-To: <15626AF7-93B5-47CA-84B7-A6CF967015A1@gmail.com>
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: MN1PEPF0000F0E0:EE_|BN0PR01MB7022:EE_
X-MS-Office365-Filtering-Correlation-Id: 4b516717-2a02-43ec-c1a4-08dc450b758b
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: gHAEDrZnRkmw/weFL7qGgKrZVOpeychsbH1eXocZF6I4W48S4fMOgeeBK0tBnm3Am1QI6+h03zRqoDv5pEfdz0PrqLK7xYU7CVj1x8NQcuFHnSDauQ75qHNjetvPt6nTvw+zZjBv1TNHYONIr07IS9pr64K+hOig1Dp+RVID2cbPeFDNLIMY9GHwXIw67B5sVDIhju0yRcMt1WZEaYRwHjbxVScVkygINyF56ESot+sXC3pvGMDf29pGqxrZ82D+YIo7t1WVsffyG4Yc5B8UxWE0T+GSNwjHdiF7JjDe7vhbtPrAl5wnHR2w/XizDRMe2v4sCw93p/LjME66S2ADKoBHMuQIUe4mF2IbxL2zqhuCQn4ZeCU7lJyFkCPQmQ6DKlB9Gg/nrbUEC81iVOhB15wVulRFQFHJq7ynN1jSrcQOxMgvvVxHKPIVxb2ne51epdCV6FNGe86DkaKLLZH698nnsfVdbg9KFvwTSvhZ+luIRiYNpuUEgBNvtNAMF/tbeRjTfX5Rjj++JiWv/5rJGM3xZp4EA73WZLqwW/Z48QjgfAQp2oM4EIHvMd0k8KfrghmT6xIgztF7Cz94Ti7par18J4DGB6j+0F97y9qOoNAKqCl77xNIwB+ATui3nhGteg0tEZEcqPK7SjmEtZU6MWdzeBNjDJOZcSN/nVETo3Jsjney/oIrFzZG4uaR9Rlek/fpqhFackE05wekomoxT/EkExy18t9IzQZIkBXQfChBYmHJr658RGMVbumLZv55ZZoBx+lzb8aFXhw4ZuCOXIfh2VPGz66tCqbPxBFHmYI=
X-Forefront-Antispam-Report: CIP:18.9.28.11; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:CAL; SFV:NSPM; H:outgoing.mit.edu; PTR:outgoing-auth-1.mit.edu; CAT:NONE;
SFS:(13230031)(376005)(1800799015); DIR:OUT; SFP:1102;
X-ExternalRecipientOutboundConnectors: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-OriginatorOrg: mit.edu
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Mar 2024 16:17:49.5849 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 4b516717-2a02-43ec-c1a4-08dc450b758b
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: MN1PEPF0000F0E0.namprd04.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN0PR01MB7022
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <faf7c1cd-c87c-42c4-a300-83bf177d55fc@mit.edu>
X-Mailman-Original-References: <8D20D248-822B-47F1-ABAA-9C46B4E99F2F@gmail.com>
<202403141927.42EJRjld032498@hedwig.cmf.nrl.navy.mil>
<eacd921c-8033-49fc-8521-7b0f5be2f297@mit.edu>
<15626AF7-93B5-47CA-84B7-A6CF967015A1@gmail.com>

by: Greg Hudson - Fri, 15 Mar 2024 16:17 UTC

On 3/15/24 06:15, Yoann Gini wrote:
> Informations about the principal (name and everything) could be
> extracted from the certificate. Principal and certificate contains the
> same informations.

To issue a ticket, the KDC doesn't need to know directory-type
information such as real names, but it does need to know
Kerberos-specific policy information like "how long can the ticket
expiration time be". That information could presumably be standardized
across clients, which is why I suggested a template principal.

> Other option I wonder is using the LDAP backend to answer dynamic
> content (we have an LDAP gateway in our codebase, so we can use it as a
> backend API between MIT Kerberos and our identity store).
>
> Doing so the main issue would be to know what Kerberos need to write, to
> handle it.

The KDC does not need to write to the KDB, although it will attempt to
do writes to maintain account lockout state (which is irrelevant to the
configuration at hand). Attempts to write can be disabled via the
settings documented here:

https://web.mit.edu/kerberos/krb5-latest/doc/admin/lockout.html#disable-lockout

When synthesizing a client principal entry (or creating a template), be
sure to include the KRB5_KDB_REQUIRES_PRE_AUTH and KRB5_KDB_DISALLOW_SVR
principal flags.