Re: [kitten] Token Preauth for Kerberos

["Zheng, Kai" <kai.zheng@intel.com>]

Hi Max,

Would you help clarify the support situation or plan/schedule in JRE/JDK for the mentioned protocol transition (s4u2self) + constrained delegation (s4u2proxy) if I'm not correct? Thanks.

Regards,
Kai

-----Original Message-----
From: Zheng, Kai 
Sent: Friday, June 13, 2014 3:16 PM
To: 'Simo Sorce'
Cc: kitten@ietf.org; krbdev@mit.edu
Subject: RE: [kitten] Token Preauth for Kerberos

Hi Simo,

>> have you considered protocol transition (s4u2self) + constrained delegation (s4u2proxy) to get tickets at an authentication gateway instead of a new pre auth mechanism ?

Yes we proposed for the Hadoop community a centralized Authn & Authz Server (HAS) that might be like the gateway as you mentioned. It's widely discussed and confirmed that it would be great the server allows plugin of authentication module/provider but all mechanisms output token. Sure I guess it's possible to use token to go thru s4u2self and s4u2proxy in the Kerberos facility across the ecosystem but as far as I know JRE just starts to support it from JDK8. Anyhow I would check this and make sure it's a doable option not in so long future.

A question regarding this:
Is it possible to contain the token in service ticket resulted from s4u2self and s4u2proxy as authorization data so that services can get it as proposed in token-preauth? Note in our wanted solution, token not just serves for authentication, but also is meant to be passed (or the token attributes) to service side for fine-grained authorization.

Thanks & regards,
Kai

-----Original Message-----
From: Simo Sorce [mailto:simo@redhat.com]
Sent: Friday, June 13, 2014 5:37 AM
To: Zheng, Kai
Cc: kitten@ietf.org; krbdev@mit.edu
Subject: Re: [kitten] Token Preauth for Kerberos

On Tue, 2014-06-10 at 12:19 +0000, Zheng, Kai wrote:
> Hi all,
> 
> I would like to mention an effort regarding Kerberos and propose a new 
> Kerberos preauth mechanism, token-preauth. Before dive into that, 
> please kindly allow me to introduce, mainly for the background and 
> scenario for the proposal.
> 
> I'm an engineer from Intel and develop identity and security related 
> products. The current focus is Apache Hadoop, and our goal is enabling 
> Hadoop to support more authentication mechanisms and providers.
> Currently Hadoop only supports Kerberos authentication method as the 
> built-in secured one and it's not easy to add more since it involves 
> changing into many projects on top of it in the large ecosystem. The 
> community had proposed a token based authentication, planned to add 
> TokenAuth method for Hadoop and by TokenAuth then all kinds of 
> authentication providers can be supported since their authentication 
> results can be wrapped into token, and the token can be employed to 
> authenticate to Hadoop across the ecosystem. The effort is still 
> undergoing. Considering the complexity, risk and deployment overhead 
> of this approach, our team investigate and think of another possible 
> solution, i.e. support token in Kerberos. The basic idea is allow end 
> users to authenticate to Kerberos with their tokens and obtain 
> tickets, then access Hadoop services using the tickets as current flow 
> goes. The PoC was already done, and we make it work seamlessly from 
> MIT Kerberos to Java world and Hadoop. However we think it's very 
> important to get the key point token-preauth be reviewed by you 
> security and Kerberos experts, to make sure it's defined and 
> implemented in compliance with the existing standards and protocols, 
> without involving security critical leaks. So please kindly give your 
> feedback and we appreciate it.

Kai,
have you considered protocol transition (s4u2self) + constrained delegation (s4u2proxy) to get tickets at an authentication gateway instead of a new pre auth mechanism ?

Simo.

--
Simo Sorce * Red Hat, Inc * New York