[kitten] Kerberos Preauth Registration for OAuth2 device flow
Sam Hartman <hartmans-ietf@mit.edu> Tue, 09 November 2021 22:39 UTC
Return-Path: <hartmans-ietf@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 96D033A120F for <kitten@ietfa.amsl.com>; Tue, 9 Nov 2021 14:39:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SshdSNZNz6Xz for <kitten@ietfa.amsl.com>; Tue, 9 Nov 2021 14:39:44 -0800 (PST)
Received: from mail.suchdamage.org (mail.suchdamage.org [52.9.186.167]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 74A703A124C for <kitten@ietf.org>; Tue, 9 Nov 2021 14:39:43 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mail.suchdamage.org (Postfix) with ESMTP id 5E2E130C20; Tue, 9 Nov 2021 17:39:42 -0500 (EST)
Received: from mail.suchdamage.org ([127.0.0.1]) by localhost (mail.suchdamage.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1sGfmkTs0IeB; Tue, 9 Nov 2021 17:39:42 -0500 (EST)
Received: from carter-zimmerman.suchdamage.org (71-218-140-158.hlrn.qwest.net [71.218.140.158]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) (Authenticated sender: hartmans-laptop) by mail.suchdamage.org (Postfix) with ESMTPSA; Tue, 9 Nov 2021 17:39:42 -0500 (EST)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 85938196E8C2; Tue, 9 Nov 2021 15:39:41 -0700 (MST)
From: Sam Hartman <hartmans-ietf@mit.edu>
To: kitten@ietf.org
Cc: Pavel Březina <pbrezina@redhat.com>, ghudson@mit.edu
Date: Tue, 09 Nov 2021 15:39:35 -0700
Message-ID: <tslr1bphs2g.fsf@suchdamage.org>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/G1kdnLQej7YzCNCTDCC4MCLyS6A>
Subject: [kitten] Kerberos Preauth Registration for OAuth2 device flow
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Nov 2021 22:39:46 -0000
It's been a while. I recently received a Kerberos preauth expert review request from IANA. The goal of the padata registration is to provide a way to perform Kerberos authentication based on the OAuth2 device authorization flow. Based on the criteria in section 7.1 of RFC 6113, I have determined that expert review is appropriate for this assignment. Based on section 3 of RFC 5226, I am seeking input from the relevant community. As a reminder, for this type of registration, we're supposed to review for security and interoperability concerns. I don't think there is a public spec; I was given a pointer to a Google doc. For this registry that is not required, although as part of an interoperability review, the availability of a spec is something we could legitimately consider. I think it is desirable to have such a mechanism, so I'd like to expediciously get to a place where we can provide any feedback and once that is addressed, approve the registration. Basic approach. The KDC provides the client a URI and a code (or a URI specific to that authentication interaction.) The client spawns a web browser, does stuff, and eventually somehow the client lets its Kerberos app know that authentication has happened, and then the KDC goes off to see if it believes that. AS far as I can tell, the reply key is never used (it is replaced) so a long-term password is not needed. There was no security considerations section in the document I got. Again, that's permitted by the registry, although it is also permitted for us to raise concerns about that in a specific instance. That does mean I'm stuck figuring out what the security considerations are. I think what I'd like to do is to star by making sure the authors are aware of the security considerations, and see if there are mitigations that can be applied. Then see how we feel about the overall security of the system. Concerns I have: 1) It appears to have the same issues with anonymous pkinit that OTP has. You probably do not want to use this FAST factor with a armor ticket you got from anonymous pkinit. If you do, you need to verify the KDC's identity elsewhere. 2) This effectively gives you an arbitrary URI that you have no way to validate and encourages the user to go authenticate to that URI. * Appears to be a phishing vector * Appears to be a malicious code vector. I'm particularly concerned about a case where this is part of machine login. You'd be running potentially attacker supplied code in a pre-login context. I hope your sandboxing is good. * If this is a highly trusted KDC, everything might be great. However there are a lot of cases in Kerberos (even with FAST) where you can get an untrusted KDC, and the mechanisms for KDC selection are less well protected than the rest of the protocol. (That's particularly true given some implementation issues). Having an armor ticket does not mean it is wise to trust a particular KDC. 3) Again, I think the security implications are different if you're already logged into the OAuth side vs if you're going to do an initial authentication flow with your OAuth provider. On the interoperability side, the protocol between the KDC and the OAuth provider does not appear to be described at all. You get vendor lockin between a KDC and OAuth provider as far as I can tell. I'd appreciate feedback on the following issues: A) Are there any additional security or interoperability concerns I should be thinking about? B) Are there mitigations we should suggest? C) Where should the bar for approval be? I'd appreciate comments in the next two weeks. --Sam
- [kitten] Kerberos Preauth Registration for OAuth2… Sam Hartman
- Re: [kitten] Kerberos Preauth Registration for OA… Luke Howard
- Re: [kitten] Kerberos Preauth Registration for OA… Greg Hudson
- Re: [kitten] Kerberos Preauth Registration for OA… Pavel Březina
- Re: [kitten] Kerberos Preauth Registration for OA… Sam Hartman
- Re: [kitten] Kerberos Preauth Registration for OA… Pavel Březina
- Re: [kitten] Kerberos Preauth Registration for OA… Sam Hartman
- Re: [kitten] Kerberos Preauth Registration for OA… Benjamin Kaduk
- Re: [kitten] Kerberos Preauth Registration for OA… Pavel Březina
- Re: [kitten] Kerberos Preauth Registration for OA… Greg Hudson
- Re: [kitten] Kerberos Preauth Registration for OA… Sam Hartman
- Re: [kitten] Kerberos Preauth Registration for OA… Greg Hudson
- Re: [kitten] Kerberos Preauth Registration for OA… Pavel Březina