IETF Logo Mail Archive

Re: [kitten] Token Preauth for Kerberos

"Zheng, Kai" <kai.zheng@intel.com> Wed, 11 June 2014 13:29 UTC

Return-Path: <kai.zheng@intel.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 939211A0088 for <kitten@ietfa.amsl.com>; Wed, 11 Jun 2014 06:29:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.552
X-Spam-Level:
X-Spam-Status: No, score=-2.552 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C-lZjgEyC7pR for <kitten@ietfa.amsl.com>; Wed, 11 Jun 2014 06:28:59 -0700 (PDT)
Received: from mga14.intel.com (mga14.intel.com [192.55.52.115]) by ietfa.amsl.com (Postfix) with ESMTP id 286EA1A0084 for <kitten@ietf.org>; Wed, 11 Jun 2014 06:28:59 -0700 (PDT)
Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmsmga103.fm.intel.com with ESMTP; 11 Jun 2014 06:23:51 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.01,458,1400050800"; d="scan'208";a="546274730"
Received: from fmsmsx106.amr.corp.intel.com ([10.19.9.37]) by fmsmga001.fm.intel.com with ESMTP; 11 Jun 2014 06:28:43 -0700
Received: from fmsmsx114.amr.corp.intel.com (10.18.116.8) by FMSMSX106.amr.corp.intel.com (10.19.9.37) with Microsoft SMTP Server (TLS) id 14.3.123.3; Wed, 11 Jun 2014 06:28:43 -0700
Received: from shsmsx104.ccr.corp.intel.com (10.239.4.70) by FMSMSX114.amr.corp.intel.com (10.18.116.8) with Microsoft SMTP Server (TLS) id 14.3.123.3; Wed, 11 Jun 2014 06:28:43 -0700
Received: from shsmsx103.ccr.corp.intel.com ([169.254.4.210]) by SHSMSX104.ccr.corp.intel.com ([169.254.5.122]) with mapi id 14.03.0123.003; Wed, 11 Jun 2014 21:28:41 +0800
From: "Zheng, Kai" <kai.zheng@intel.com>
To: "Nordgren, Bryce L -FS" <bnordgren@fs.fed.us>, "kitten@ietf.org" <kitten@ietf.org>, "krbdev@mit.edu" <krbdev@mit.edu>
Thread-Topic: Token Preauth for Kerberos
Thread-Index: Ac95oBHY/v5P0th/QSGCBpa/sVINTQLSYH4wABj0KrA=
Date: Wed, 11 Jun 2014 13:28:40 +0000
Message-ID: <8D5F7E3237B3ED47B84CF187BB17B666118E445F@SHSMSX103.ccr.corp.intel.com>
References: <8D5F7E3237B3ED47B84CF187BB17B666118D870F@SHSMSX103.ccr.corp.intel.com> <82E7C9A01FD0764CACDD35D10F5DFB6E6D5EBE@001FSN2MPN1-044.001f.mgd2.msft.net>
In-Reply-To: <82E7C9A01FD0764CACDD35D10F5DFB6E6D5EBE@001FSN2MPN1-044.001f.mgd2.msft.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.239.127.40]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/kitten/EZOFPJX4BEp8PIokpVa3KbFBl0w
Cc: "Jiang, Weihua" <weihua.jiang@intel.com>
Subject: Re: [kitten] Token Preauth for Kerberos
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Jun 2014 13:29:01 -0000

Hi Bryce,

Thanks for your interest and valuable input.

The proposal assumes identities from 3rd party identity system are already synced with KDC backend identity store, either by manually or automatic process, 
either from other identity system to KDC or from KDC to other identity system. It assumes token authority against the identity system can issue JWT token
with defined header attributes by this mechanism, so that Kerberos and the mechanism can determine the principal and realm based on the token as 
target client principal to issue ticket.

However, I understand it's important to also consider the sync process between other identity system and KDC backend store for the users/principals that
need to do token authentication against KDC. It might be covered in this work but better in future version, or another effort. So far I just have some questions
as follows.
1. Could we define standard admin protocol to allow automatic user/principal sync between target identity system and KDC in both directions? Can kx509 
help here or other lightweight approach? Sure the process should be done in separate secure channel by KDC admin. Can the sync be done in acceptable time?

2. Related, is there any existing standard or practice to dynamically provisioning or destroying Kerberos principal accounts on demand in batch mode or one by one? 
This could be useful in large cluster with thousands of nodes (each requires quite a few service principals).

3. Could we relax Kerberos further, allow KDC issue ticket for non-exist principal and just determine the principal using defined token attributes (or mapping)? I'm not 
very sure this makes sense since this may violate Kerberos protocol but think about in some cases Kerberos can be just used as secure channel like SSL and the primary
authentication is already done for token prior to ticket requesting. Or if principal is absolutely a must and should be exist in KDC backend anyway, could it be dynamically
provisioned in the client request channel when KDC find the principal isn't exist but the KDC policy allows to create it right now?  

>> Is your MIT krb5 plugin code somewhere public?
Well I would clean up the POC codes and make it look better. When it's ready we'll make it public and update here. Hope this can be done soon.

Regards,
Kai

-----Original Message-----
From: Nordgren, Bryce L -FS [mailto:bnordgren@fs.fed.us] 
Sent: Wednesday, June 11, 2014 4:57 AM
To: Zheng, Kai; kitten@ietf.org; krbdev@mit.edu
Subject: RE: Token Preauth for Kerberos

>This proposes to add another preauthentication mechanism similar to OTP 
>and PKINIT for Kerberos, based on Kerberos preauthentication framework 
>and FAST tunnel. It allows 3rd party token in JWT format like OAuth 
>bearer token can be used as credential to authenticate to KDC for a 
>normal principal instead of user password. When using the token to 
>request a tgt, the user name or other attributes claimed in the token 
>must match the target Kerberos principal. PKI is used to establish the 
>trust relationship between 3rd party token issuer and KDC.

Very cool.

Might I ask how you map identities from the 3rd party scheme into the Kerberos PRINCIPAL@REALM scheme? I assume from the above that the actual binding is performed using a kx509 certificate issued by a trusted CA? Is there a proposed algorithm to generate Kerberos identities from 3rd party ones, or is this a function of the CA?

Let me back up a bit. Is this being proposed as a gateway such that identities from 3rd party identity systems have a standardized representation in Kerberos (thus ensuring that tokens and Kerberos identities are correctly associated)? Or is this a means for manually created users in the local KDC to use their "regular" password? If the latter, how does one ensure that the same person is in control of the Kerberos identity and the external one?

Bryce
PS: Is your MIT krb5 plugin code somewhere public? :)






This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately.

v2.30.2 | Report a Bug | By Email | System Status