IETF Logo Mail Archive

Re: [kitten] Checking the transited list of a kerberos ticket in a transitive cross-realm trust situation...

Greg Hudson <ghudson@mit.edu> Mon, 21 August 2017 14:05 UTC

Return-Path: <ghudson@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3EA7913202D for <kitten@ietfa.amsl.com>; Mon, 21 Aug 2017 07:05:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qMoYHstvuVTc for <kitten@ietfa.amsl.com>; Mon, 21 Aug 2017 07:05:51 -0700 (PDT)
Received: from dmz-mailsec-scanner-7.mit.edu (dmz-mailsec-scanner-7.mit.edu [18.7.68.36]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BCAA7132646 for <kitten@ietf.org>; Mon, 21 Aug 2017 07:05:51 -0700 (PDT)
X-AuditID: 12074424-16fff70000006ae1-f9-599ae8be1549
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-7.mit.edu (Symantec Messaging Gateway) with SMTP id BF.49.27361.EB8EA995; Mon, 21 Aug 2017 10:05:50 -0400 (EDT)
Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id v7LE5md4019326; Mon, 21 Aug 2017 10:05:49 -0400
Received: from [18.101.8.158] (VPN-18-101-8-158.MIT.EDU [18.101.8.158]) (authenticated bits=0) (User authenticated as ghudson@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v7LE5jCB026736 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Mon, 21 Aug 2017 10:05:47 -0400
To: Stefan Metzmacher <metze@samba.org>, heimdal-discuss@h5l.org, "krbdev@mit.edu Dev List" <krbdev@mit.edu>, "kitten@ietf.org" <kitten@ietf.org>, Samba Technical <samba-technical@lists.samba.org>
References: <f33d5f68-1fdc-c1bc-c702-70b054880bb4@samba.org>
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <649fa812-aacf-80b6-1976-a719eca60fc2@mit.edu>
Date: Mon, 21 Aug 2017 10:05:45 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <f33d5f68-1fdc-c1bc-c702-70b054880bb4@samba.org>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrMIsWRmVeSWpSXmKPExsUixCmqrLvvxaxIg2l9KharejvYLI5uXsVi cXHZTxaLP0v2szuweBz7fIXRY8mSn0we82fPYvKYu6uPMYAlissmJTUnsyy1SN8ugSvjwJcX rAWnOCvuL//H2sB4g72LkZNDQsBE4m/LeqYuRi4OIYHFTBJ3Zn1lBUkICWxklGi5HAKROMok cWHnRqAODg5hgXKJW5tCQeIiAg8ZJRqeL2WGaLCR+H7mL5jNJqAssX7/VhYQm1fASmLnzhuM IDaLgKrEspunmEBsUYEIiYedu9ghagQlTs58wgIyn1PAVqL9D9gYZgE9iR3Xf7FC2PIS29/O YZ7AyD8LSccsJGWzkJQtYGRexSibklulm5uYmVOcmqxbnJyYl5dapGuul5tZopeaUrqJERS2 7C4qOxi7e7wPMQpwMCrx8N7InxUpxJpYVlyZe4hRkoNJSZR3QypQiC8pP6UyI7E4I76oNCe1 +BCjBAezkgjvwT1AOd6UxMqq1KJ8mJQ0B4uSOK+4RmOEkEB6YklqdmpqQWoRTFaGg0NJgjfy OVCjYFFqempFWmZOCUKaiYMTZDgP0HB+kBre4oLE3OLMdIj8KUZFKXHeDpCEAEgiozQPrhec VlI55r1iFAd6RZj3DkgVDzAlwXW/AhrMBDTYsHUayOCSRISUVAPj3LN8Mc6OVZwxTSXrZkRo K0/UfRcvxtn08UQNs0v4X66F7nJFScJ3yzftuH8pKTJL8fivhdsdb/POq86o4QsPN+R31Tgr 97JwSqjbWpN7L0zfy4V1b+F4rbI8bdNs/YDD1008orbNXX0ny3Jra2NLytm2j69eaXRftC0S 2bq5cULSlt2226SVWIozEg21mIuKEwEPQsfLBgMAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/OOgu-cW26vxjuPTLajFLDiLLejU>
Subject: Re: [kitten] Checking the transited list of a kerberos ticket in a transitive cross-realm trust situation...
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Aug 2017 14:05:58 -0000

On 08/18/2017 08:35 AM, Stefan Metzmacher wrote:
> While thinking about this I can't see any value in checking the
> transited list of the ticket. As that list is always under the
> control of the KDC that issued the ticket. And the service
> trusts it's own KDC anyway, as well as any KDC in the trust
> chain trusts the next hop. The only reason for this list
> might be debugging.

I'm not sure about "any KDC in the trust chain trusts the next hop."
RFC 4120 doesn't think about cross-realm relationships in terms of
trust.  Simply having cross-realm keys with another realm doesn't
necessarily imply that the other realm is trustworthy.

> Is there any reason to keep the krb5_check_transited() (in Heimdal)
> and krb5_check_transited_list() (in MIT) is their current form?

Well, it's mandatory in RFC 4120 section 2.7:

   Application servers MUST either do the transited-realm checks
   themselves or reject cross-realm tickets without
   TRANSITED-POLICY-CHECKED set.

It would be okay to skip this check on application servers if the ticket
has the TRANSITED-POLICY-CHECKED flag.  Heimdal appears to do this but
MIT krb5 does not; I'm not sure why as that behavior dates to before my
time.

v2.23.0 | Report a Bug | By Email