Re: [kitten] Token Preauth for Kerberos

[Simo Sorce <simo@redhat.com>]

On Fri, 2014-06-13 at 07:16 +0000, Zheng, Kai wrote:
> Hi Simo,
> 
> >> have you considered protocol transition (s4u2self) + constrained
> delegation (s4u2proxy) to get tickets at an authentication gateway
> instead of a new pre auth mechanism ?
> 
> Yes we proposed for the Hadoop community a centralized Authn & Authz
> Server (HAS) that might be like the gateway as you mentioned. It's
> widely discussed and confirmed that it would be great the server
> allows plugin of authentication module/provider but all mechanisms
> output token. Sure I guess it's possible to use token to go thru
> s4u2self and s4u2proxy in the Kerberos facility across the ecosystem
> but as far as I know JRE just starts to support it from JDK8. Anyhow I
> would check this and make sure it's a doable option not in so long
> future.

You need to modify something anyway, constrained delegation sound like a
better way than trying to devise a whole new pre-auth plugin.

> A question regarding this:
> Is it possible to contain the token in service ticket resulted from
> s4u2self and s4u2proxy as authorization data so that services can get
> it as proposed in token-preauth? Note in our wanted solution, token
> not just serves for authentication, but also is meant to be passed (or
> the token attributes) to service side for fine-grained authorization.

Well, theorethically it should be possible to ad AD data in the ticket
before the s4u2proxy call and the KDC should just preserve it.
However you should only transmit the authorization data, not the whole
token, otherwise you destroy every single security property of Kerberos.
I can't see any krb admin as accepting something like that.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York