Re: [kitten] [EXTERNAL] Re: Windows Intent to revive and implement IAKerb draft-ietf-kitten-iakerb-03
Nico Williams <nico@cryptonector.com> Wed, 22 February 2023 18:56 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63758C15270B for <kitten@ietfa.amsl.com>; Wed, 22 Feb 2023 10:56:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.098
X-Spam-Level:
X-Spam-Status: No, score=-7.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5Q_i1HXYJvZZ for <kitten@ietfa.amsl.com>; Wed, 22 Feb 2023 10:56:05 -0800 (PST)
Received: from crocodile.elm.relay.mailchannels.net (crocodile.elm.relay.mailchannels.net [23.83.212.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 444E3C1595FE for <kitten@ietf.org>; Wed, 22 Feb 2023 10:56:05 -0800 (PST)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id D3ED8101E40; Wed, 22 Feb 2023 18:56:03 +0000 (UTC)
Received: from pdx1-sub0-mail-a299.dreamhost.com (unknown [127.0.0.6]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 5E541101BAA; Wed, 22 Feb 2023 18:56:03 +0000 (UTC)
ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1677092163; a=rsa-sha256; cv=none; b=Jquc/yyG2ItbWEEMKHtmzgzqVDJ4XaXthA/e6reKaSnsGSdlCSj1K8dXcdBM4WDJQ8UAHf qmru1GOyHuT9okA8J4REylyuJrZJxerB4Y/2AEg5irc+b2mfEgN2RpQyvX/7Gdh2uqR4il EUQ18wuyCYgS/jahBAL7WdhHhiRLcPozXUixzPZwVSuVojPQRkPw3hCS738TjfO3ECff7b /j3eNSbd5DV/znJHPoY3MtqA6cLFYjsCbwCPn4+7KO27CYVrRX5OfcfG09AGIDwnWdFiRD efdBLGhMzCNRXhPKWqBA95slet09uTVE4lE/2DXw7MGxrJZikp4ZosPxPIl6Fw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1677092163; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references:dkim-signature; bh=ELSYwDOjsDqEzfIuqIuvZa2BWVdBkNYjHYm1rOYDkMU=; b=cwwI8xnRhORekLkpmQj8FGxyUHhaUUCn0w4J98BzK5NxpPnGR3N/nwtqBPP2r5WuskHjrf NOJ7as6j4IqKmuX5nBv5fv4mr8SXcrVXIjwB3tqHspZFOf3gzXS2d5O5HAkKJZpK679k0l qj7pt2fVLKBZ9sDwUSe7KwXuF7wUxyyWqJkwym3EQwTmhlhE0GFmQA8eRoUaTv25bgJATf Yb1i7Yu2qv1uDvx41OCl6YpdqgUr4WyD8xrGK3mw+lJADyg9u0QTC6BwUzztc+4BOhtdkz qTelOwsE+kNnHMSS0xG14UqCt9M2oDXF/xXIYN1alENtgYt7h1EmH50CNvL0Hg==
ARC-Authentication-Results: i=1; rspamd-5db48964c-9shrn; auth=pass smtp.auth=dreamhost smtp.mailfrom=nico@cryptonector.com
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Lyrical-Harmony: 7ff0bf1461aec2f9_1677092163665_1738017878
X-MC-Loop-Signature: 1677092163665:4256201593
X-MC-Ingress-Time: 1677092163665
Received: from pdx1-sub0-mail-a299.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.120.227.140 (trex/6.7.1); Wed, 22 Feb 2023 18:56:03 +0000
Received: from gmail.com (075-081-095-064.res.spectrum.com [75.81.95.64]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a299.dreamhost.com (Postfix) with ESMTPSA id 4PMQNL3SPXzK6; Wed, 22 Feb 2023 10:56:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cryptonector.com; s=dreamhost; t=1677092163; bh=ELSYwDOjsDqEzfIuqIuvZa2BWVdBkNYjHYm1rOYDkMU=; h=Date:From:To:Cc:Subject:Content-Type; b=r2kGUU8yyDukT0mLWb81SbP5Up1A3OX1MqTinab2nbeItGfCsbgQuGy4FmlvWtZDr 9qUxMQwewoEnSJggV+OYzppYjA3txXndHoUQk6nKZoyl4/XEYsh8ZyyQmur3t0Lmec 8EJ0/qXWZASTmijnJBEy4+fadDtXeL5kaZUvphtP5bEDBxFc5ZoCdQsGcmgpyiWhJ8 XP/0VGXloQ7PWq93rQyYBHdgOHmY7Iq9mT+e4UkkY28C87R1FFZR0TvNpbBy3syXxu hiS7DanhOkUXTPY3fmRWWLHIitWJuQBIYNjaK+L+Ao04yhUyydeVwUNo6FXIMYuLQT VwMBHCOG0TSvQ==
Date: Wed, 22 Feb 2023 12:55:59 -0600
From: Nico Williams <nico@cryptonector.com>
To: "Steve Syfuhs (AP)" <Steve.Syfuhs@microsoft.com>
Cc: Luke Howard Bentata <lukeh@padl.com>, "kitten@ietf.org" <kitten@ietf.org>
Message-ID: <Y/ZlP9gD0eyZP90T@gmail.com>
References: <Y/RFX4XywCAlhCeB@gmail.com> <MW4PR21MB197087AF4BB7632B0DF662619CA59@MW4PR21MB1970.namprd21.prod.outlook.com> <Y/T/3wwBIMZ+2mf6@gmail.com> <MW4PR21MB197051A332E7DD85FFB91EE69CA59@MW4PR21MB1970.namprd21.prod.outlook.com> <Y/UMA7xZYpOAWK4N@gmail.com> <MW4PR21MB19700BA2F20F8CC779F72CD39CA59@MW4PR21MB1970.namprd21.prod.outlook.com> <Y/VnjL/IBYXFWkYX@gmail.com> <MW4PR21MB1970EAD9739BFA099B05F4779CAA9@MW4PR21MB1970.namprd21.prod.outlook.com> <Y/WWjumkyhEjMvda@gmail.com> <MW4PR21MB1970B688BF31100AF8C6EF8D9CAA9@MW4PR21MB1970.namprd21.prod.outlook.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <MW4PR21MB1970B688BF31100AF8C6EF8D9CAA9@MW4PR21MB1970.namprd21.prod.outlook.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/-QAOGi2zx2H_EehFxavAiUChRZ4>
Subject: Re: [kitten] [EXTERNAL] Re: Windows Intent to revive and implement IAKerb draft-ietf-kitten-iakerb-03
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Feb 2023 18:56:09 -0000
On Wed, Feb 22, 2023 at 05:36:40PM +0000, Steve Syfuhs (AP) wrote: > You should implement forest trusts. We automated key rotation in 2000. :) What RFC is that? :) Do we need an LDAP client in order to implement that? Seriously, if you have key history, then you can rotate x-realm krbtgt keys w/o trouble. For non-x-realm krbtgt principals it's useful to have the "new service key delay" feature so that the new keys can replicate before they get used. > That said, I'm a bit surprised you've seen any issues with key > rotation. We generally return ap-err-modified in such bad key cases > which should just trigger a client renew/reauth of the ticket. What do > non-Windows clients do in that case? Do they just drop the request? If you're janedoe@A asking for a ticket for some service@B and you already have a krbtgt/B@A ticket cached, you're going to use that ticket, and then you might get an error from the KDC if either the ticket is encrypted in the new key but the B KDC you hit doesn't have it yet, or if the ticket is encrypted in the old key but the B KDC you hit no longer has or accepts that key. I believe MIT and Heimdal stop there (though I'd have to check). > I'll have to dig through the client/server logic for how gMSAs are > handled. I don't quite remember the exact behavior, but caveat a few > bugs we introduced ourselves I can't recall any major reports of > timing issues, which I would attribute back to the badkey-retry-getkey > behavior our clients have. Also said, I'm not aware of any non-Windows > servers that implement gMSA support, especially given Andrew's comment > about SAMBA only now investigating adding them. That sorta makes any > third party behavior a bit moot. Ok, I'll have to look into whether we have to special case certain errors in TGS-REQ exchanges and retry in those cases. This could be complicated since we might have to purge ccache entries and then retry from the top rather than retry the current TGS-REQ. Complicating client-side logic is a problem, and complicated clients is one of the problems with Kerberos. For example, I've seen interop issues with proprietary mobile apps not implementing kerberos referrals chasing correctly, and getting those issues fixed can be nigh impossible, and workarounds can be equally impossible. In this case better key rotation functionality on the KDC can save the client implementors a great deal of complexity. Complexity is a big source of bugs, too. Nico --
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Greg Hudson
- [kitten] Windows Intent to revive and implement I… Steve Syfuhs (AP)
- Re: [kitten] Windows Intent to revive and impleme… Luke Howard Bentata
- Re: [kitten] Windows Intent to revive and impleme… Greg Hudson
- Re: [kitten] Windows Intent to revive and impleme… josh.howlett
- Re: [kitten] Windows Intent to revive and impleme… Luke Howard Bentata
- Re: [kitten] Windows Intent to revive and impleme… Jeffrey Altman
- Re: [kitten] Windows Intent to revive and impleme… Jeffrey Altman
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Luke Howard
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Luke Howard Bentata
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Luke Howard Bentata
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Luke Howard Bentata
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- [kitten] Replacing Kerberos (Re: Windows Intent t… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Simo Sorce
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Simo Sorce
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Ken Hornstein
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Paul Romero
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] Replacing Kerberos (Re: Windows Inte… Luke Howard
- Re: [kitten] Replacing Kerberos (Re: Windows Inte… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Luke Howard Bentata
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Luke Howard
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Andrew Bartlett
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Simo Sorce
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- [kitten] Updates to IAKERB (Re: Windows Intent to… Nico Williams
- Re: [kitten] Updates to IAKERB (Re: Windows Inten… Nico Williams
- Re: [kitten] Replacing Kerberos Erin Shepherd
- Re: [kitten] Replacing Kerberos Nico Williams
- Re: [kitten] Replacing Kerberos D.Rogers
- Re: [kitten] Replacing Kerberos Nico Williams
- Re: [kitten] Replacing Kerberos Nico Williams
- Re: [kitten] Replacing Kerberos Erin Shepherd
- Re: [kitten] Replacing Kerberos Watson Ladd
- Re: [kitten] Replacing Kerberos Nico Williams
- Re: [kitten] Replacing Kerberos Simo Sorce