IETF Logo Mail Archive

Re: [kitten] Checking the transited list of a kerberos ticket in a transitive cross-realm trust situation...

Stefan Metzmacher <metze@samba.org> Mon, 09 August 2021 12:15 UTC

Return-Path: <metze@samba.org>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC4493A0C34 for <kitten@ietfa.amsl.com>; Mon, 9 Aug 2021 05:15:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (3072-bit key) header.d=samba.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9gjeHPxGX_EI for <kitten@ietfa.amsl.com>; Mon, 9 Aug 2021 05:15:24 -0700 (PDT)
Received: from hr2.samba.org (hr2.samba.org [IPv6:2a01:4f8:192:486::2:0]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8B6443A0C33 for <kitten@ietf.org>; Mon, 9 Aug 2021 05:15:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=samba.org; s=42; h=Date:Message-ID:From:Cc:To; bh=x7UJGnJnT70mNioi9y7Q176ixy8oR1x3cK6KYD8HYKI=; b=QxugdTQ6vl+D5yVls8AitN37YW 8f3Bfgl4tyvpLesmCogn42JNpbsZx9ruUqyK66Sen4tb58Zjb+zbut+urRbGt29yhoz89E6j1ml9F wsho2V3pL+4rVtn3wrLvS2Rj/u6mudMeILVD5eSeZ0cG7kdcymqYSl6ekMUPqcoB2w/FOQHFToviB LWjgxlxZqpWcmSnEI3M3zPxujdXe9qURvbOf04vffnXzBhSjJIk+LVyuUqAudveuJq5+DNL89K6La AA/ONfa4F9u+S/oaPAO1cSrheAgRLwUURhIotuhuEH1SlJzD4n9L29kfQyzxrNCdQ2myCFFWNR+g9 1ALk5LTzP1Otx+5LENTU6+kJ1Fu2r8PNq5d7WXnbhTwCrMIRlRaniqscQvk7mcyAHf/+55+yFv1or MrDDUS8fK4zEBcee5RP5e0D2ZKRCuHVidh41irRuYaSyOlxeomOuRJvKK0ZIIJK8dn6/Qsf+i6lDm Eg3jOmWFQiWQ7NUh6B2CYR6D;
Received: from [127.0.0.2] (localhost [127.0.0.1]) by hr2.samba.org with esmtpsa (TLS1.3:ECDHE_X25519__ECDSA_SECP256R1_SHA256__CHACHA20_POLY1305:256) (Exim) id 1mD4BY-000Lvg-IT; Mon, 09 Aug 2021 12:15:16 +0000
To: Stefan Metzmacher <metze=40samba.org@dmarc.ietf.org>, Greg Hudson <ghudson@mit.edu>, Nico Williams <nico@cryptonector.com>
Cc: kitten@ietf.org, Samba Technical <samba-technical@lists.samba.org>, "krbdev@mit.edu Dev List" <krbdev@mit.edu>
References: <69d80d24-d461-1652-3cfb-e55d90d31fbf@samba.org> <ec067a72-313e-1878-33a0-a3259d2979d5@mit.edu> <1503578184.3428.19.camel@redhat.com> <db882372-aa1d-e58e-4c94-a268539bd2ee@samba.org> <1503596189.3428.26.camel@redhat.com> <F363B51E-FDF7-4C91-9ABD-B623B5CE97BC@dukhovni.org> <8f68cfb0-2d6b-d86f-4ff0-a9282aa0bf55@samba.org> <cb0d7433-9e23-5bce-4e06-1213bf88cade@samba.org> <20191121223908.GC26241@localhost> <22f96c93-0217-0b2b-d7e1-684f9269fba4@samba.org> <20191122224526.GA28614@localhost> <8b72197d-2fcc-5b4f-4392-12d53d1ec624@samba.org> <5bcc2951-afdf-0849-5c16-f542afe214a1@samba.org> <3d693bdd-9a4c-7135-318e-593e18e52cd0@mit.edu> <9062428f-f26d-4f10-b71f-f54464df2ff4@samba.org> <c388e3f9-bf85-8ffd-3640-b27e0552a96a@samba.org> <276401e2-5d09-29d2-be1b-5e876f49c0eb@mit.edu> <22c35d56-cc7b-e3b1-c357-d387f11d9d22@samba.org>
From: Stefan Metzmacher <metze@samba.org>
Message-ID: <4c48be85-1cec-ca04-19be-296423d3435d@samba.org>
Date: Mon, 09 Aug 2021 14:15:07 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0
MIME-Version: 1.0
In-Reply-To: <22c35d56-cc7b-e3b1-c357-d387f11d9d22@samba.org>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="CMVlaZV9k76CfTXOeddOoVj5dgzimXB7p"
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/FIEizNcGh3HhMVHxWjSjIbezBS4>
Subject: Re: [kitten] Checking the transited list of a kerberos ticket in a transitive cross-realm trust situation...
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Aug 2021 12:15:29 -0000

Am 09.08.21 um 10:59 schrieb Stefan Metzmacher:
> 
> Hi Greg,
> 
>> On 8/2/21 10:49 AM, Stefan Metzmacher wrote:
>>> To summarize the discussion we had active directory DCs do transited
>>> checking (even without a PAC) and fails to issue service tickets
>>> if the check fails, so any service ticket is already checked,
>>> but without TKT_FLG_TRANSIT_POLICY_CHECKED being added to the
>>> ticket.
>>
>> I just want to acknowledge here that we're taking on technical debt
>> because the non-conformant party is perceived to be inflexible.
>>
>>> The initial solution I proposed was:
>>>
>>> 	gss_set_cred_option(acceptor_creds, GSS_KRB5_CRED_NO_TRANSIT_CHECK_X)
>> [...]
>>> But it seems gss_set_cred_option() is not accepted because it's
>>> a deprecated.
>>
>> Personally I'm fine with this.
> 
> Ok, should I just use a different oid (I can allocate one from the Samba pool)
> and submit the changes to MIT without the "wait for heimdal first" tag?
> 
> It would be great to have that in MIT and we can also apply it to
> Samba's fork of Heimdal and have most Samba setups covered.
> 
>>> 1. An additional cred_store element could be passed to
>>>    gss_acquire_cred_from() in order to set the
>>>    GSS_CF_NO_TRANSIT_CHECK flag on acceptor_creds
>>
>> This is similar to a cred option.  I don't see any strong advantages of
>> one over the other.
> 
> Same here, I just wanted to find ways to make Nico happy.
> 
>>> 2. I think someone had the idea of using gss_set_sec_context_option()
>>
>> This seems hard to do without (per-thread) global state.  Even if we
>> bring in gss_create_sec_context() from some versions of the channel
>> bindings draft, the mechglue doesn't know mechanism will be used to
>> accept the context, so it would have to store OID/value pairs in the
>> mechglue context and replay them to the mech context once it finds out
>> which kind of mech context to create.  (And hope that all of the context
>> option values are flat byte strings, not structures containing pointers
>> to objects whose lifetimes might have expired between the
>> set_cred_option() call and the first accept_sec_context() call.)
>>
>> Doing this with global state seems strictly worse than communicating the
>> flag via the cred.
> 
> Yes, it seems way to complex.
> 
>>> 3. Implement a krb5.conf option similar to "dns_canonicalize_hostname"
>>>    or "ignore_acceptor_hostname" from MIT
>>
>> I would argue for this to be a per-realm option if we do this, since
>> it's a statement about a particular realm's KDCs being non-conformant.
> 
> Ok. I can also implement that in addition to the GSS_KRB5_CRED_NO_TRANSIT_CHECK_X
> option.

I just found the "reject_bad_transit" option that's already implemented for the MIT kdc,
but I guess we want an extra option, correct?

Do we want the new "no_transit_check" option to be used via:
krb5_appdefault_boolean()?

That would allow the following combinations in MIT:

1:
 [appdefaults]
     app = {
        SOME.REALM = {
             no_transit_check = true
        }
     }

2:
 [appdefaults]
     app = {
        no_transit_check = true
     }

3:
 [appdefaults]
     SOME.REALM = {
        no_transit_check = true
     }

4:
 [appdefaults]
      no_transit_check = true


While heimdal falls back to 2 additional options:

5:
  [realms]
     SOME.REALM = {
        no_transit_check = true
     }

6:

  [libdefaults]
      no_transit_check = true


metze

v2.23.0 | Report a Bug | By Email