Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

The unrecognized minister of propaganda, E -- seen in an email from Ean Schuessler

devel / comp.protocols.kerberos / Re: honoring the TRUSTED_FOR_DELEGATION KDC MS-SFU Kerberos Protocol Extensions flag?

SubjectAuthor
o Re: honoring the TRUSTED_FOR_DELEGATION KDC MS-SFU Kerberos Protocol Extensions Ken Hornstein

1
Re: honoring the TRUSTED_FOR_DELEGATION KDC MS-SFU Kerberos Protocol Extensions flag?

<mailman.86.1713225372.2322.kerberos@mit.edu>

  copy mid

https://www.novabbs.com/devel/article-flat.php?id=538&group=comp.protocols.kerberos#538

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: ken...@cmf.nrl.navy.mil (Ken Hornstein)
Newsgroups: comp.protocols.kerberos
Subject: Re: honoring the TRUSTED_FOR_DELEGATION KDC MS-SFU Kerberos Protocol
Extensions flag?
Date: Mon, 15 Apr 2024 19:56:04 -0400
Organization: TNet Consulting
Lines: 36
Message-ID: <mailman.86.1713225372.2322.kerberos@mit.edu>
References: <CAEkxbZuz1h7Ef4N5nz3teb8vcTxTE6iBUZC+TYssUcayKHhXQQ@mail.gmail.com>
<202404152356.43FNu4Wj009470@hedwig.cmf.nrl.navy.mil>
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="15607"; mail-complaints-to="newsmaster@tnetconsulting.net"
Cc: kerberos@mit.edu
To: James Ralston <ralston@pobox.com>
DKIM-Filter: OpenDKIM Filter v2.11.0 unknown-host (unknown-jobid)
Authentication-Results: mailman.mit.edu;
dkim=pass (1024-bit key, unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=syGtOk2O;
dkim=pass (2048-bit key,
unprotected) header.d=nrl.navy.mil header.i=@nrl.navy.mil header.a=rsa-sha256
header.s=s2.dkim header.b=YR+o02Gy
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=B5n8f8Le6WyVAAqzuHmbfD+AvOUXJvU+2fjNij7DXx6hZXkyxASCGwUtkXL+bowhWJYoaRXBaF1Me9RlS8w2ceosYymkabsoLgcWD9Aqtbq3znisS06l0bhP7YeDTc8h1LW9lZI2vO5uiyQQgh2VzvQ5rhwQLtbkLvDNZLTphXyMJ3WzRfa5svdrPZoNFpEx3YdR42FHsxPqrBgkqSn2+e0xJX8sB2ZBPXApWu1PuDh9U7uBCy3EnYKhLtv5g0gmyahtmOkMwjV7qjsiXxfQ1XSIN7DV5o4OKOMRIdoCkf1bPi71kpLZyPoan2/E9ztE2dQ6JGUma2yBdy5O+dlCSw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=77pgKuZdmUifNJ9nVqeIf8TLaFJHPbVYuEloZSK/04A=;
b=Pn743lHY82xQ8Tt9ZDcAkWbQglwByZS0lTnmbYRwvvb0YBg5mO6f8q0P3iG16fk64EECLm6tjvd2Mzmye2mxRRIPqjfdL5stUqqNm2R10xzbNy6iPVel3UQrs/OzyMpMVFWZ8TkmwOMnseJ0gzr9aprp51sksh39cWGjcZHVc7m5PPiIDJCtRClRNEh28EnDJjqsJ3s5G/3wE2OBXGQAmHJ5ZQnz3rioYDG483gmT5QdBO7L0uO6P8rH7dVc71ZVR9ZNoqPuQsyCEJ9ferIj1h1FZQRjyia666kEBwNcXbCaMfaflOaDNaDF5d10ynFwcwjQH4DPLF0/w2if5ZRYrA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
140.32.61.234) smtp.rcpttodomain=mit.edu smtp.mailfrom=cmf.nrl.navy.mil;
dmarc=pass (p=reject sp=reject pct=100) action=none
header.from=cmf.nrl.navy.mil; dkim=pass (signature was verified)
header.d=nrl.navy.mil; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=77pgKuZdmUifNJ9nVqeIf8TLaFJHPbVYuEloZSK/04A=;
b=syGtOk2OkfMVj81F2w19hlgh3gExs2Q6LMlLlvIHN5zZuu7CqSPrSRZF1CWqTfiijkjVI7uJ/c2F1U6YNYLUxexAOBRv5f04hj++NAheggBiebxOz/RfwAfkdQGVRO0oxB/5ay8LcoZnApzjOtZpj12NMjTAnYBCiQe9Wr3HX0o=
Authentication-Results: spf=pass (sender IP is 140.32.61.234)
smtp.mailfrom=cmf.nrl.navy.mil; dkim=pass (signature was verified)
header.d=nrl.navy.mil;dmarc=pass action=none header.from=cmf.nrl.navy.mil;
Received-SPF: Pass (protection.outlook.com: domain of cmf.nrl.navy.mil
designates 140.32.61.234 as permitted sender)
receiver=protection.outlook.com; client-ip=140.32.61.234; helo=mf.dren.mil;
pr=C
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nrl.navy.mil;
h=message-id : from :
to : cc : subject : in-reply-to : references : mime-version : content-type
: content-transfer-encoding : date; s=s2.dkim;
bh=77pgKuZdmUifNJ9nVqeIf8TLaFJHPbVYuEloZSK/04A=;
b=YR+o02GyYH7wnLz0Q2+XxKLtZq5VQ5dEjP3E00UIfKFFWe3JSzTDdtxe/sCLbdcgIu/D
oHdmG+5Qj00sIJA13v/3NZnTcriB/+R2Q+dl/ekjm1XMJdVIDKNSB+JuifFONDY2t3fg
+fhClrfiLUSQT3YNJT3eIAePcH38nv7pcI47AO1nYrHw6FZ/GNFZ/lKHW0m4qoZqsxPj
Bw9CE7+dO63VlOrTAPX877D8HucTi0lMvEGHHnQ0iydGonvjSfytFU+/k9oLBgonyvKh
W4R129EFXVIpBdPj7adWEPruubkBoZcPq32F+lFi4o8n2bSEH8rHIIIrcyGRunhzTv4b KA==
In-Reply-To: <CAEkxbZuz1h7Ef4N5nz3teb8vcTxTE6iBUZC+TYssUcayKHhXQQ@mail.gmail.com>
X-Face: "Evs"_GpJ]],xS)b$T2#V&{KfP_i2`TlPrY$Iv9+TQ!6+`~+l)#7I)0xr1>4hfd{#0B4
WIn3jU;bql;{2Uq%zw5bF4?%F&&j8@KaT?#vBGk}u07<+6/`.F-3_GA@6Bq5gN9\+s;_d
gD\SW #]iN_U0 KUmOR.P<|um5yP<ea#^"SJK;C*}fMI;Mv(aiO2z~9n.w?@\>kEpSD@*e`
X-NRLCMF-Spam-Score: () hits=0 User Authenticated
X-NRLCMF-Virus-Scanned:
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: BL02EPF0001A100:EE_|CO1PR01MB6694:EE_
X-MS-Office365-Filtering-Correlation-Id: b648341e-7041-4322-0936-08dc5da79e42
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: Qy/+l40uR7Po3rSo9AGSBFSf1JltwLFzlhzU8LSYAiu+qPSD/d2+BrTu4KZQVH1xYq0y4vFDn16I9p2p7mzytbF7ZS5rH7SuPfI+Jrg42pYlK20WE/WrN6uen02Y4H89nvGnkl4qk5hXcLVmm60iAwEXDmWwl8J2+AG3JoBNW3ckdCepefXwuZoycRa1bx70T01bIDB8K00agEqaZZWuLDRWwdo5+0GsN51tX19Vw45hHSyLS4lBPgEcmztWtNEKvuEm4CAO/3dAhR0w4bFw9kxFWZyve2u7f/jvn5jX9dAn0BHFXhyt0QbxxZHKJsR3dXFfrer9o/nIS17qUQRZDTFIVm54fBsZOGzHzwNdWrvpDnyFrRAM10D1zXI9NfjdMG6hPox5X9Bcx3Z4E0VnjJkFZYCXofw8DzlMi+RCfdAzOw4CgG3QeYdoTO+B/EAFaFVGN4YMlAQhrb7hvz8iSVnjg9PiqtG7WA4+BXnzTZhNrMLIp14fchvCT2H1R+K0Gf7PgBM8PXCz4PtxCjNH/ssbjcBUSRM1zHns88miL8rKgTg7FkyYI387lRT+IpuskttjczQ2ANZppgkFTXWMoa2x8cM8PR++V7zrr2d3RUAttbPJaVwR0J//NNvr5lXbI/WaB0tjbZZhvoMekcpakCPtqtvAcxqiqXVz1tdWttiyBw+qpdR51KlP6ZlwdepB
X-Forefront-Antispam-Report: CIP:140.32.61.234; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:mf.dren.mil; PTR:mfw.dren.mil; CAT:NONE;
SFS:(13230031)(61400799018)(376005)(48200799009); DIR:OUT; SFP:1102;
X-ExternalRecipientOutboundConnectors: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-OriginatorOrg: mitprod.onmicrosoft.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Apr 2024 23:56:07.3160 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: b648341e-7041-4322-0936-08dc5da79e42
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: BL02EPF0001A100.namprd03.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO1PR01MB6694
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <202404152356.43FNu4Wj009470@hedwig.cmf.nrl.navy.mil>
X-Mailman-Original-References: <CAEkxbZuz1h7Ef4N5nz3teb8vcTxTE6iBUZC+TYssUcayKHhXQQ@mail.gmail.com>
 by: Ken Hornstein - Mon, 15 Apr 2024 23:56 UTC

>Has anyone else struggled with ssh clients being unable to delegate
>As far as we can tell, for reasons we still have been unable to
>fathom, Microsoft decided that simply permitting credential delegation
>based on whether the TGT has the forwardable flag set was
>insufficient. Instead, Microsoft implemented a new flag in the MS-SFU
>Kerberos Protocol Extensions, TRUSTED_FOR_DELEGATION. The flag is a
>property of the service principal of the *target* host: if the target
>host does not have the TRUSTED_FOR_DELEGATION flag set in the
>userAccountControl attribute of the host’s machine account in Active
>Directory, then if the Kerberos library that the ssh client uses
>honors the MS-SFU Kerberos Protocol Extensions and honors the
>TRUSTED_FOR_DELEGATION flag, it will refuse to delegate the user’s
>credentials to the target host, *even* if all other settings would
>permit credential delegation.

I'm a LITTLE confused as to what you're describing here. As I
understand you, the TRUSTED_FOR_DELEGATION flag doesn't appear on the
wire and only in the account properties. What, exactly, is there for a
client implementation to honor or not honor? If you're talking about
the OK-AS-DELEGATE flag in the Kerberos ticket, MIT Kerberos does
implement that flag (but ... the library already provides an option
to ignore that flag and it seems that by default it DOES ignore that
flag). It seems like some versions of Heimdal also will ignore the
OK-AS-DELEGATE flag by default and you can configure Heimdal to respect
that flag but I am unclear what the OS X Heimdal does. Calling that a
Microsoft extension is incorrect, though, as that appears in RFC 4120.
As for the thinking behind this flaga, well, the RFC provides what I
would consider a cognizant explanation:

https://datatracker.ietf.org/doc/html/rfc4120#section-2.8

If you're talking about something else, I would be curious as to what
you mean. I didn't think ssh could utilize any of the S4U stuff
but it's always possible that could have changed.

--Ken

1
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor