IETF Logo Mail Archive

Re: [kitten] [EXTERNAL] Re: Windows Intent to revive and implement IAKerb draft-ietf-kitten-iakerb-03

Nico Williams <nico@cryptonector.com> Tue, 21 February 2023 18:23 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C05ECC14F727 for <kitten@ietfa.amsl.com>; Tue, 21 Feb 2023 10:23:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dds6TtKz3VOK for <kitten@ietfa.amsl.com>; Tue, 21 Feb 2023 10:23:04 -0800 (PST)
Received: from fossa.birch.relay.mailchannels.net (fossa.birch.relay.mailchannels.net [23.83.209.62]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 83D8BC1595E5 for <kitten@ietf.org>; Tue, 21 Feb 2023 10:23:04 -0800 (PST)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 63ABF501D08; Tue, 21 Feb 2023 18:23:03 +0000 (UTC)
Received: from pdx1-sub0-mail-a299.dreamhost.com (unknown [127.0.0.6]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id D1BB4502382; Tue, 21 Feb 2023 18:23:02 +0000 (UTC)
ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1677003782; a=rsa-sha256; cv=none; b=UkhbPFJRBsinXHtZeQygv2qvxvscpnuhArSXG1IYZFH7/WBAza8yVAcQSGpX6vbBjiiLdd 4/yXi08xE0/tVwBZovlpMpPxaSiezO1kuJVNsyK2HqcJPotfNtkQeMi/EXU8/ftrjjNiZP aaEDoMCYd+Kmf9cEj9vQYPqJ0vHWrZud+gsvjscddQEy1NACBNvNZ0x9YsFmyveCHadWAx auEPwOj61rusWs0yPmA7mksAvPQWh/Jic9H9WzZVBR0e4FqiIzEycPAHAtvObnUanPmiE8 UmdBiZWOcvK2nPR7/HclUPlFwO2X2+6HqI5Co6SFMikc+lUIAxr31FTH3ovERA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1677003782; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references:dkim-signature; bh=MzgzZKmaoTryNny8gfxdLatzubeWnFHwu63pOGwlauE=; b=z1Kw7xsO+qlFMcjwd10uOlFuCHCrEFxpszE0x6WAdEjpBh65WfpfZD/475cRQ9iuNP0rDo 8EgErVVc5C/OG22+e+nuMV6ebyKSx6FpalRb46Zteg5ICINEYtZftsLjMQc+wI+VDF6NKb Xxa5uNVls3digthi096Ug208PcuxUJmRkfjmrhll4XZpkDobiLsC9iOPJFm8pUVIime1c/ bUhPRfdhnxVOq/GB2foKwnHEw8P5YHeBsm/HDSLMg3QgRUBWtRxsUpzZklcvCnKUaNkZzP qnGuPlJGB3+s54RvpuBAxpxpsF+in9lb2HFPnv0hzwiFfbNlZM8n0Q7AgpQ8Qg==
ARC-Authentication-Results: i=1; rspamd-9788b98bc-t766b; auth=pass smtp.auth=dreamhost smtp.mailfrom=nico@cryptonector.com
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-White-Lyrical: 3443f51829081d30_1677003783169_4087690044
X-MC-Loop-Signature: 1677003783169:2393286723
X-MC-Ingress-Time: 1677003783169
Received: from pdx1-sub0-mail-a299.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.109.196.241 (trex/6.7.1); Tue, 21 Feb 2023 18:23:03 +0000
Received: from gmail.com (075-081-095-064.res.spectrum.com [75.81.95.64]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a299.dreamhost.com (Postfix) with ESMTPSA id 4PLnhj6WY5z1P; Tue, 21 Feb 2023 10:23:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cryptonector.com; s=dreamhost; t=1677003782; bh=MzgzZKmaoTryNny8gfxdLatzubeWnFHwu63pOGwlauE=; h=Date:From:To:Cc:Subject:Content-Type; b=df1qS76wd/u6TZyOuqO3V4BJafYKyFcNbV1NHhd5DnuqBYd8NlfecvqSSDsHZHaSV VF7j+ngRQQIq4s4sEWJXpevxItqS5vpQW+YTZlygTpWJaQlbgVTzuANzm4wCNKizMO Qt0NWPteXm8DGwTioGyK/TKZx7LorzFSpb/YJ4URdOiWYf7B4J5LHTgYFq3GZjtuRZ ByRAAq7+JHgEcGT0HRcgRnQvLDEuKdz2BIPBVp5CMDopNbHbOMgJ62LInMzcRjIanA 7H2GMBHuwJyYkMcKzWlTIbeH03XNC2ExL99ujF2zPU22hkoKPjKPpqFRBRoRddG2nO JEYMVHRmz5S3Q==
Date: Tue, 21 Feb 2023 12:22:59 -0600
From: Nico Williams <nico@cryptonector.com>
To: "Steve Syfuhs (AP)" <Steve.Syfuhs@microsoft.com>
Cc: Luke Howard Bentata <lukeh@padl.com>, "kitten@ietf.org" <kitten@ietf.org>
Message-ID: <Y/UMA7xZYpOAWK4N@gmail.com>
References: <6cb6f5ddfc7b9b150b4eef72db5a3f3b9566fd80.camel@redhat.com> <20230219194355.36139173DDE@pb-smtp2.pobox.com> <Y/K2IEhX6c+b05Ye@gmail.com> <Y/QT7BxdTHq0RYTz@gmail.com> <7064A9EB-EB01-426C-9BED-AFB97FA93551@padl.com> <Y/Q7hdTOF1HaxQKM@gmail.com> <Y/RFX4XywCAlhCeB@gmail.com> <MW4PR21MB197087AF4BB7632B0DF662619CA59@MW4PR21MB1970.namprd21.prod.outlook.com> <Y/T/3wwBIMZ+2mf6@gmail.com> <MW4PR21MB197051A332E7DD85FFB91EE69CA59@MW4PR21MB1970.namprd21.prod.outlook.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <MW4PR21MB197051A332E7DD85FFB91EE69CA59@MW4PR21MB1970.namprd21.prod.outlook.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/50p3-l1N2UkdIMS_1PMMdWlzea0>
Subject: Re: [kitten] [EXTERNAL] Re: Windows Intent to revive and implement IAKerb draft-ietf-kitten-iakerb-03
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Feb 2023 18:23:08 -0000

On Tue, Feb 21, 2023 at 05:44:05PM +0000, Steve Syfuhs (AP) wrote:
> Here's a useful overview: https://syfuhs.net/how-managed-service-accounts-in-active-directory-work

That helps with running a service on multiple hosts, with each one
retrieving the services keys (well, password anyways).  That's the
intent, correct?

Does AD have key (password) history so that key rotation can be smooth?
I.e., can you change a key (password) and have AD retain the previous
one for some time so as to be able to decrypt extant tickets?

Key history is essential for rekeying trust accounts w/o outages.  It is
_not_ essential (in the KDC anyways) to rekeying other services than
trust accounts, but it _is_ very helpful for clustered services so that
if you add a member to the cluster it can fetch the keys it needs from
the KDC (directory) rather than having to build a thing for sharing keys
from one cluster member to another.

Heimdal's equivalent to your managed service accounts lets clients fetch
keytabs with:

 - all the keys (not passwords, but hey) needed to decrypt potentially
   extant (not yet expired) tickets

    - this potentially includes previous keys (kvnos)

 - all the keys not yet in service that will soon be needed to decrypt
   tickets

This is important because otherwise a new cluster member might not have
all the keys it needs to be able to decrypt tickets in AP-REQs presented
to it, causing something of an outate.  One can say "tough, you can go
get the keys from the other cluster members", but that's how people
conclude that Kerberos sucks.  Having a way to get the keys from the KDC
is much simpler than having to build and integrate a proprietary key
sharing mechanism.

In Heimdal we added a "new service key delay" feature that allows new
keys to be set that won't be used by KDCs yet for a specified amount of
time so as to give cluster members a chance to fetch / sync the new
keys.

We also have a feature where service principals whose names fall in
configured namespaces have their keys derived on the fly from the
namespace's base keys, the principals' names, and the current time
epoch.  And in this case too clients can fetch keytabs with all the keys
needed to decrypt potentially extant tickets + upcoming keys (as if
there was a new service key delay set on future keys).  When using this
feature keys rotate automatically based on the current time and
configured key rotation period for the namespace.

In principle Heimdal can store passwords in the HDB in addition to keys,
and we could have a feature where we return service passwords instead of
keys if desired by sites that prefer your focus on passwords rather than
keys.  We'd still want to return possibly more than one password though,
along with kvno and time metadata, and for that the keytab format is
pretty good -- we'd just need an "enctype" reserved for "password", or
enctypes for "password for deriving keys for enctype XYZ".

> Obviously the AD/Windows-specific stuff wouldn't be appropriate to
> apply to a public spec, but the gist of it might be useful.

Sure.  In this case the thing that's desirable is a protocol for
extracting the keys (passwords).  In your case it's just an LDAP query,
and authorization is handled by the directory (AD).  An HTTP API would
be much better because it would impose much less bloat on the client
stack.

I've concluded that HTTP APIs are a sine qua non for all of this stuff.
Want an online CA?  HTTP.  A kinit-as-a-service?  HTTP.  Negotiate as a
service?  HTTP.  Keytab fetching?  HTTP.  Canned admin tasks?  HTTP.
This has made integration of these new Heimdal features into site-local
orchestration systems much easier on the integrators.

Another thing I've concluded is that metastasizing directory schemas
into lots of codebases in time always becomes a huge headache and no
fun.  Besides, different solutions will have different schemas, and now
you more headaches.  The solution to this is to implement proxies that
provide "stored procedures" that implement simple interfaces to common
tasks.  From a protocol perspective I'd want to standardize such
interfaces.

Yes, LDAP is still needed in your case, though I suppose one could have
an HTTP JSON API that transliterates LDAP to/from JSON as an API to
LDAP.  But it's nice to have simpler HTTP APIs for common tasks.

Nico
--

v2.23.0 | Report a Bug | By Email