Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

The Shuttle is now going five times the sound of speed. -- Dan Rather, first landing of Columbia

devel / comp.protocols.kerberos / Re: Stateless PKINIT?

SubjectAuthor
o Re: Stateless PKINIT?Yoann Gini

1
Re: Stateless PKINIT?

<mailman.62.1710519565.2322.kerberos@mit.edu>

  copy mid

https://www.novabbs.com/devel/article-flat.php?id=514&group=comp.protocols.kerberos#514

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: yoann.g...@gmail.com (Yoann Gini)
Newsgroups: comp.protocols.kerberos
Subject: Re: Stateless PKINIT?
Date: Fri, 15 Mar 2024 17:19:08 +0100
Organization: TNet Consulting
Lines: 40
Message-ID: <mailman.62.1710519565.2322.kerberos@mit.edu>
References: <8D20D248-822B-47F1-ABAA-9C46B4E99F2F@gmail.com>
<202403141927.42EJRjld032498@hedwig.cmf.nrl.navy.mil>
<eacd921c-8033-49fc-8521-7b0f5be2f297@mit.edu>
<15626AF7-93B5-47CA-84B7-A6CF967015A1@gmail.com>
<faf7c1cd-c87c-42c4-a300-83bf177d55fc@mit.edu>
<A7CBD0B5-3F4A-4A3B-AE48-FBA06C320B80@gmail.com>
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.500.171.1.1\))
Content-Type: text/plain;
charset=utf-8
Content-Transfer-Encoding: quoted-printable
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="28656"; mail-complaints-to="newsmaster@tnetconsulting.net"
Cc: Ken Hornstein <kenh@cmf.nrl.navy.mil>, kerberos@mit.edu
To: Greg Hudson <ghudson@mit.edu>
DKIM-Filter: OpenDKIM Filter v2.11.0 unknown-host (unknown-jobid)
Authentication-Results: mailman.mit.edu;
dkim=pass (1024-bit key, unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=UaMUP/FH;
dkim=pass (2048-bit key,
unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256
header.s=20230601 header.b=lWW+HlNy
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=Gr6dUmtZdgzXCSkeGA9nDzpfJTMMJdP0xlVg5GGgyINx1W5wno4hjdMj212J92u2CDyJmZQFBv9Y0dkPGjAgc25POsUP5Z9BKpv4ybDIUQGLPHNfuOQA7IxVtwTQSMsWxqvDC1kNiRQ0s8ieU6MeHn51CnsPwk82AThj8SxWC6UVkUnqZnSPzflBMY0yM/Ft3WhXeHCzrKCNqeJeljPEjacClTknT4GolQSYQOfOHrNxaFTT7kbGkKtM24oRKYb8uKWpRjMFJKNl2yYX4lnBZUEpOxcgyIl93IseNKB84wbBEmPPqLIwNmcOGnkeC3xQf0yC1KanM58ig7srSY+57g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=e4hEJZki37SZBtmztQKO0qFDDZkejd51oM4b67hqmQI=;
b=LI8LZ1Saoll4RXB05+qSZ6snpknQ0eJnDroQk2NiZlk/9CCJ0Ci1eNu99NPFU6/sHndIq7h80m47CUYol07bwBWGFVyBHbV/mbTG3HCl7/I7UigGhNWX9GJ2k5TJWKMGmu9ODYcxc56SrMD+OY1uLM1OZG3DPHpn8MKqMwko45mDNNciHqfwucj44b1y3sn2rQI0V92vUVTjMlyLezMisxAY1BdOd1qSZ6G2xDCLiQNpAMoVZSvdBAiCzkLCC/Cg6sRALCinLcJmrOu0ACRs7rQw7PFce1txmgzqPf5WdLXDRmNCzbOMJWlAEcgakjxr7MDRqEpEtWi0cG1r7LNL7Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
209.85.167.47) smtp.rcpttodomain=mit.edu smtp.mailfrom=gmail.com; dmarc=pass
(p=none sp=quarantine pct=100) action=none header.from=gmail.com; dkim=pass
(signature was verified) header.d=gmail.com; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=e4hEJZki37SZBtmztQKO0qFDDZkejd51oM4b67hqmQI=;
b=UaMUP/FHe7hOJa7z/z0a74quvoJ78d9NOwu55CDKr8kut23JaoaamA07CHXLrbO+aLKJGfux3NdU2ZYra2anBQZPsvnXlAF1WhTe8wxvZQ4c1pa8RXD2nZBQFACjNZH0gQr7pChFlEQ0shvR5Yr9NHL7fELSNxZzDivglGdiwRo=
Authentication-Results: spf=pass (sender IP is 209.85.167.47)
smtp.mailfrom=gmail.com; dkim=pass (signature was verified)
header.d=gmail.com;dmarc=pass action=none header.from=gmail.com;
Received-SPF: Pass (protection.outlook.com: domain of gmail.com designates
209.85.167.47 as permitted sender) receiver=protection.outlook.com;
client-ip=209.85.167.47; helo=mail-lf1-f47.google.com; pr=C
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20230601; t=1710519560; x=1711124360; darn=mit.edu;
h=references:to:cc:in-reply-to:date:subject:mime-version:message-id
:from:from:to:cc:subject:date:message-id:reply-to;
bh=e4hEJZki37SZBtmztQKO0qFDDZkejd51oM4b67hqmQI=;
b=lWW+HlNyGR+nFMmMzwe4Tw2FOmGzcLhE6QhJ7yKlgRi8K8g1C5HmnOGBhtpJm/vOz7
5nZVhTGSgHH7TmWmsEzh9kDsb6UYZuWjHqcTU25J+ZQYYHJ7lG0VS89ugsWdXPNB/xhY
wexOxUTxmM6hmySUr7HgxFeljqyxR+3nKEPPMlHkRngs73m0ySJ8aqmozbjG1mp3U0b/
LKTASCH3Pd90mLN3QY4d7htX1wz/DuMDSj7VPCipq80xspH5tpSjgf/m8U/8VNGhMe+0
d9qQc7jy7rZjd9EhCkPS5l4hJSjaaiTVa8U0MT3cHwAiuc4RPaAkHnw1vpvQpLhThUbT
/kYQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1710519560; x=1711124360;
h=references:to:cc:in-reply-to:date:subject:mime-version:message-id
:from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
bh=e4hEJZki37SZBtmztQKO0qFDDZkejd51oM4b67hqmQI=;
b=NcMjJKlZVii/GiV9OouStXYQXtvZbnHRUR9ja9QD/BmcUgc76cwMu5VFaBu+5g1A9S
eo89n0O8wqSuvHuXj2OnBwnT+tljc043UJosm+fxdHTeeg68Fl1CHJVr7qsVCm9LgsKw
kLEnkELZLfLkhM+cC3/sh/ym+5+j3vAi90poQs11iLcHpY7tJcjVNJbEPawQah7kUZaA
5O17GEykaLL633RlZT/MmqGDN0j3MqEHFEtIkWremH8O3/C19iqa7WomeklvsKtuike+
uORdkKYWntMxTC87s92h9CrG0fPLJbacCHYB07auf2Dj82i5dfXb1g8RsNfWPHyZy1fY
fiDA==
X-Forwarded-Encrypted: i=1;
AJvYcCWCxw4QkOckw+IeSG0PyqATQ5HDU0EzTqqJMrvSwYKNT0BiJYuygnL7pb3Zp+/aLrYaPYN7MkRPmp2cfoEXNP6t
X-Gm-Message-State: AOJu0YzUHv0MFJbyNNv6ZOjLaO82ufEMuwFk6O84AuobjiScNg23MfJ6
lyAsWNutuHIFDtP2ovkG7rhXBdYxYAKLTC/oBhti6tAPhM1FWZOBkn4G1HZ4g7w=
X-Google-Smtp-Source: AGHT+IElsdQAy355EwPXy/p7vNFiG2X0mrJWAt1BTPFFn9mnhfMf5QO6YCV/5dtO3xDj2JT/A3nQmA==
X-Received: by 2002:ac2:504b:0:b0:513:1804:9359 with SMTP id
a11-20020ac2504b000000b0051318049359mr4045718lfm.17.1710519559378;
Fri, 15 Mar 2024 09:19:19 -0700 (PDT)
In-Reply-To: <faf7c1cd-c87c-42c4-a300-83bf177d55fc@mit.edu>
X-Mailer: Apple Mail (2.3774.500.171.1.1)
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: CY4PEPF0000EDD7:EE_|SN7PR01MB7989:EE_
X-MS-Office365-Filtering-Correlation-Id: d33e9460-18cc-4da0-a089-08dc450bac1e
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: zAO8RSMWqQWoFgCob/wouKj26Qd96AhKTGM+z3eSRuxWPOg47yGXQlaG4MMPgUcyxKLX5eZdv5IH4fhMxdXRIcDDYgNMx4JoDcMirJO5/IQN3o275LjwFLD6z2WgT37JSuhmKMKiUUHYEo0bC1ZtOGQEPTUGEFiHlyzyw2TdbHlSBwoSxURhsyxruVKGx/3QKOO+hf6MYcu8EEgFGjX0K1g3fY+oels2MU+EkXjojKr96HS5CorUXvP/IguQaKo39hizREl4TkRHp/qGi0UOWlnSdTCVLwcnUAZv7OMqnm+Onki68XMikAFsVlk2s2nhH/9N5TYJuEvpJyMLMadtOEvd7eNIG4lH0M2GWtoo7tljBqZAc75QnG9V/81ugN2qndGgGJAolgih2oRmTxWaIv+3jbvgi0EyxlzquVYCegi7LRAqivi3CWF8K8UPAh+3dNYGLOCGpH4kmSlbIRnSxlbNB6Q0WlJUdn3Jc157YP2IyoQFLcq+U39L4TRSX3WfS3SzccPuuyU38Td/RqioZEVKwsbH1ajRT8hdhWSulrthup/zXo0wUOe2NpBJTqtvzKfdH9V45F5MNX9mrK9PjlSZCcmDdnHNpoD4uWXuSNFXumcu5HyMi6tqigYO2uCwFFFGZRFyBwtxXFfA9gMQBg7vv92g4N1ZlstKEqwqTNUA76Q0aDSYl3b3PfHL9T50
X-Forefront-Antispam-Report: CIP:209.85.167.47; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:mail-lf1-f47.google.com; PTR:mail-lf1-f47.google.com;
CAT:NONE; SFS:(13230031)(61400799018)(48200799009)(376005); DIR:OUT; SFP:1102;
X-ExternalRecipientOutboundConnectors: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-OriginatorOrg: mitprod.onmicrosoft.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Mar 2024 16:19:21.4100 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: d33e9460-18cc-4da0-a089-08dc450bac1e
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: CY4PEPF0000EDD7.namprd03.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN7PR01MB7989
X-Content-Filtered-By: Mailman/MimeDel 2.1.34
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <A7CBD0B5-3F4A-4A3B-AE48-FBA06C320B80@gmail.com>
X-Mailman-Original-References: <8D20D248-822B-47F1-ABAA-9C46B4E99F2F@gmail.com>
<202403141927.42EJRjld032498@hedwig.cmf.nrl.navy.mil>
<eacd921c-8033-49fc-8521-7b0f5be2f297@mit.edu>
<15626AF7-93B5-47CA-84B7-A6CF967015A1@gmail.com>
<faf7c1cd-c87c-42c4-a300-83bf177d55fc@mit.edu>
 by: Yoann Gini - Fri, 15 Mar 2024 16:19 UTC

> Le 15 mars 2024 à 17:17, Greg Hudson <ghudson@mit.edu> a écrit :
>
> On 3/15/24 06:15, Yoann Gini wrote:
>> Informations about the principal (name and everything) could be extracted from the certificate. Principal and certificate contains the same informations.
>
> To issue a ticket, the KDC doesn't need to know directory-type information such as real names, but it does need to know Kerberos-specific policy information like "how long can the ticket expiration time be". That information could presumably be standardized across clients, which is why I suggested a template principal.

Understood!

That's and interesting lead here.

>> Other option I wonder is using the LDAP backend to answer dynamic content (we have an LDAP gateway in our codebase, so we can use it as a backend API between MIT Kerberos and our identity store).
>> Doing so the main issue would be to know what Kerberos need to write, to handle it.
>
> The KDC does not need to write to the KDB, although it will attempt to do writes to maintain account lockout state (which is irrelevant to the configuration at hand). Attempts to write can be disabled via the settings documented here:
>
> https://web.mit.edu/kerberos/krb5-latest/doc/admin/lockout.html#disable-lockout
>
> When synthesizing a client principal entry (or creating a template), be sure to include the KRB5_KDB_REQUIRES_PRE_AUTH and KRB5_KDB_DISALLOW_SVR principal flags.

OK, thanks!

1
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor