Re: [kitten] [EXTERNAL] Re: Windows Intent to revive and implement IAKerb draft-ietf-kitten-iakerb-03
Nico Williams <nico@cryptonector.com> Tue, 21 February 2023 18:23 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C05ECC14F727 for <kitten@ietfa.amsl.com>; Tue, 21 Feb 2023 10:23:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dds6TtKz3VOK for <kitten@ietfa.amsl.com>; Tue, 21 Feb 2023 10:23:04 -0800 (PST)
Received: from fossa.birch.relay.mailchannels.net (fossa.birch.relay.mailchannels.net [23.83.209.62]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 83D8BC1595E5 for <kitten@ietf.org>; Tue, 21 Feb 2023 10:23:04 -0800 (PST)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 63ABF501D08; Tue, 21 Feb 2023 18:23:03 +0000 (UTC)
Received: from pdx1-sub0-mail-a299.dreamhost.com (unknown [127.0.0.6]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id D1BB4502382; Tue, 21 Feb 2023 18:23:02 +0000 (UTC)
ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1677003782; a=rsa-sha256; cv=none; b=UkhbPFJRBsinXHtZeQygv2qvxvscpnuhArSXG1IYZFH7/WBAza8yVAcQSGpX6vbBjiiLdd 4/yXi08xE0/tVwBZovlpMpPxaSiezO1kuJVNsyK2HqcJPotfNtkQeMi/EXU8/ftrjjNiZP aaEDoMCYd+Kmf9cEj9vQYPqJ0vHWrZud+gsvjscddQEy1NACBNvNZ0x9YsFmyveCHadWAx auEPwOj61rusWs0yPmA7mksAvPQWh/Jic9H9WzZVBR0e4FqiIzEycPAHAtvObnUanPmiE8 UmdBiZWOcvK2nPR7/HclUPlFwO2X2+6HqI5Co6SFMikc+lUIAxr31FTH3ovERA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1677003782; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references:dkim-signature; bh=MzgzZKmaoTryNny8gfxdLatzubeWnFHwu63pOGwlauE=; b=z1Kw7xsO+qlFMcjwd10uOlFuCHCrEFxpszE0x6WAdEjpBh65WfpfZD/475cRQ9iuNP0rDo 8EgErVVc5C/OG22+e+nuMV6ebyKSx6FpalRb46Zteg5ICINEYtZftsLjMQc+wI+VDF6NKb Xxa5uNVls3digthi096Ug208PcuxUJmRkfjmrhll4XZpkDobiLsC9iOPJFm8pUVIime1c/ bUhPRfdhnxVOq/GB2foKwnHEw8P5YHeBsm/HDSLMg3QgRUBWtRxsUpzZklcvCnKUaNkZzP qnGuPlJGB3+s54RvpuBAxpxpsF+in9lb2HFPnv0hzwiFfbNlZM8n0Q7AgpQ8Qg==
ARC-Authentication-Results: i=1; rspamd-9788b98bc-t766b; auth=pass smtp.auth=dreamhost smtp.mailfrom=nico@cryptonector.com
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-White-Lyrical: 3443f51829081d30_1677003783169_4087690044
X-MC-Loop-Signature: 1677003783169:2393286723
X-MC-Ingress-Time: 1677003783169
Received: from pdx1-sub0-mail-a299.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.109.196.241 (trex/6.7.1); Tue, 21 Feb 2023 18:23:03 +0000
Received: from gmail.com (075-081-095-064.res.spectrum.com [75.81.95.64]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a299.dreamhost.com (Postfix) with ESMTPSA id 4PLnhj6WY5z1P; Tue, 21 Feb 2023 10:23:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cryptonector.com; s=dreamhost; t=1677003782; bh=MzgzZKmaoTryNny8gfxdLatzubeWnFHwu63pOGwlauE=; h=Date:From:To:Cc:Subject:Content-Type; b=df1qS76wd/u6TZyOuqO3V4BJafYKyFcNbV1NHhd5DnuqBYd8NlfecvqSSDsHZHaSV VF7j+ngRQQIq4s4sEWJXpevxItqS5vpQW+YTZlygTpWJaQlbgVTzuANzm4wCNKizMO Qt0NWPteXm8DGwTioGyK/TKZx7LorzFSpb/YJ4URdOiWYf7B4J5LHTgYFq3GZjtuRZ ByRAAq7+JHgEcGT0HRcgRnQvLDEuKdz2BIPBVp5CMDopNbHbOMgJ62LInMzcRjIanA 7H2GMBHuwJyYkMcKzWlTIbeH03XNC2ExL99ujF2zPU22hkoKPjKPpqFRBRoRddG2nO JEYMVHRmz5S3Q==
Date: Tue, 21 Feb 2023 12:22:59 -0600
From: Nico Williams <nico@cryptonector.com>
To: "Steve Syfuhs (AP)" <Steve.Syfuhs@microsoft.com>
Cc: Luke Howard Bentata <lukeh@padl.com>, "kitten@ietf.org" <kitten@ietf.org>
Message-ID: <Y/UMA7xZYpOAWK4N@gmail.com>
References: <6cb6f5ddfc7b9b150b4eef72db5a3f3b9566fd80.camel@redhat.com> <20230219194355.36139173DDE@pb-smtp2.pobox.com> <Y/K2IEhX6c+b05Ye@gmail.com> <Y/QT7BxdTHq0RYTz@gmail.com> <7064A9EB-EB01-426C-9BED-AFB97FA93551@padl.com> <Y/Q7hdTOF1HaxQKM@gmail.com> <Y/RFX4XywCAlhCeB@gmail.com> <MW4PR21MB197087AF4BB7632B0DF662619CA59@MW4PR21MB1970.namprd21.prod.outlook.com> <Y/T/3wwBIMZ+2mf6@gmail.com> <MW4PR21MB197051A332E7DD85FFB91EE69CA59@MW4PR21MB1970.namprd21.prod.outlook.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <MW4PR21MB197051A332E7DD85FFB91EE69CA59@MW4PR21MB1970.namprd21.prod.outlook.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/50p3-l1N2UkdIMS_1PMMdWlzea0>
Subject: Re: [kitten] [EXTERNAL] Re: Windows Intent to revive and implement IAKerb draft-ietf-kitten-iakerb-03
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Feb 2023 18:23:08 -0000
On Tue, Feb 21, 2023 at 05:44:05PM +0000, Steve Syfuhs (AP) wrote: > Here's a useful overview: https://syfuhs.net/how-managed-service-accounts-in-active-directory-work That helps with running a service on multiple hosts, with each one retrieving the services keys (well, password anyways). That's the intent, correct? Does AD have key (password) history so that key rotation can be smooth? I.e., can you change a key (password) and have AD retain the previous one for some time so as to be able to decrypt extant tickets? Key history is essential for rekeying trust accounts w/o outages. It is _not_ essential (in the KDC anyways) to rekeying other services than trust accounts, but it _is_ very helpful for clustered services so that if you add a member to the cluster it can fetch the keys it needs from the KDC (directory) rather than having to build a thing for sharing keys from one cluster member to another. Heimdal's equivalent to your managed service accounts lets clients fetch keytabs with: - all the keys (not passwords, but hey) needed to decrypt potentially extant (not yet expired) tickets - this potentially includes previous keys (kvnos) - all the keys not yet in service that will soon be needed to decrypt tickets This is important because otherwise a new cluster member might not have all the keys it needs to be able to decrypt tickets in AP-REQs presented to it, causing something of an outate. One can say "tough, you can go get the keys from the other cluster members", but that's how people conclude that Kerberos sucks. Having a way to get the keys from the KDC is much simpler than having to build and integrate a proprietary key sharing mechanism. In Heimdal we added a "new service key delay" feature that allows new keys to be set that won't be used by KDCs yet for a specified amount of time so as to give cluster members a chance to fetch / sync the new keys. We also have a feature where service principals whose names fall in configured namespaces have their keys derived on the fly from the namespace's base keys, the principals' names, and the current time epoch. And in this case too clients can fetch keytabs with all the keys needed to decrypt potentially extant tickets + upcoming keys (as if there was a new service key delay set on future keys). When using this feature keys rotate automatically based on the current time and configured key rotation period for the namespace. In principle Heimdal can store passwords in the HDB in addition to keys, and we could have a feature where we return service passwords instead of keys if desired by sites that prefer your focus on passwords rather than keys. We'd still want to return possibly more than one password though, along with kvno and time metadata, and for that the keytab format is pretty good -- we'd just need an "enctype" reserved for "password", or enctypes for "password for deriving keys for enctype XYZ". > Obviously the AD/Windows-specific stuff wouldn't be appropriate to > apply to a public spec, but the gist of it might be useful. Sure. In this case the thing that's desirable is a protocol for extracting the keys (passwords). In your case it's just an LDAP query, and authorization is handled by the directory (AD). An HTTP API would be much better because it would impose much less bloat on the client stack. I've concluded that HTTP APIs are a sine qua non for all of this stuff. Want an online CA? HTTP. A kinit-as-a-service? HTTP. Negotiate as a service? HTTP. Keytab fetching? HTTP. Canned admin tasks? HTTP. This has made integration of these new Heimdal features into site-local orchestration systems much easier on the integrators. Another thing I've concluded is that metastasizing directory schemas into lots of codebases in time always becomes a huge headache and no fun. Besides, different solutions will have different schemas, and now you more headaches. The solution to this is to implement proxies that provide "stored procedures" that implement simple interfaces to common tasks. From a protocol perspective I'd want to standardize such interfaces. Yes, LDAP is still needed in your case, though I suppose one could have an HTTP JSON API that transliterates LDAP to/from JSON as an API to LDAP. But it's nice to have simpler HTTP APIs for common tasks. Nico --
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Greg Hudson
- [kitten] Windows Intent to revive and implement I… Steve Syfuhs (AP)
- Re: [kitten] Windows Intent to revive and impleme… Luke Howard Bentata
- Re: [kitten] Windows Intent to revive and impleme… Greg Hudson
- Re: [kitten] Windows Intent to revive and impleme… josh.howlett
- Re: [kitten] Windows Intent to revive and impleme… Luke Howard Bentata
- Re: [kitten] Windows Intent to revive and impleme… Jeffrey Altman
- Re: [kitten] Windows Intent to revive and impleme… Jeffrey Altman
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Luke Howard
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Luke Howard Bentata
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Luke Howard Bentata
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Luke Howard Bentata
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- [kitten] Replacing Kerberos (Re: Windows Intent t… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Simo Sorce
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Simo Sorce
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Ken Hornstein
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Paul Romero
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] Replacing Kerberos (Re: Windows Inte… Luke Howard
- Re: [kitten] Replacing Kerberos (Re: Windows Inte… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Luke Howard Bentata
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Luke Howard
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Andrew Bartlett
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Simo Sorce
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- [kitten] Updates to IAKERB (Re: Windows Intent to… Nico Williams
- Re: [kitten] Updates to IAKERB (Re: Windows Inten… Nico Williams
- Re: [kitten] Replacing Kerberos Erin Shepherd
- Re: [kitten] Replacing Kerberos Nico Williams
- Re: [kitten] Replacing Kerberos D.Rogers
- Re: [kitten] Replacing Kerberos Nico Williams
- Re: [kitten] Replacing Kerberos Nico Williams
- Re: [kitten] Replacing Kerberos Erin Shepherd
- Re: [kitten] Replacing Kerberos Watson Ladd
- Re: [kitten] Replacing Kerberos Nico Williams
- Re: [kitten] Replacing Kerberos Simo Sorce