IETF Logo Mail Archive

Re: [kitten] Token Preauth for Kerberos

Simo Sorce <simo@redhat.com> Tue, 17 June 2014 12:43 UTC

Return-Path: <simo@redhat.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 92CEB1A0375 for <kitten@ietfa.amsl.com>; Tue, 17 Jun 2014 05:43:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.553
X-Spam-Level:
X-Spam-Status: No, score=-7.553 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.651, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9XrS-_QI_B0m for <kitten@ietfa.amsl.com>; Tue, 17 Jun 2014 05:43:33 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by ietfa.amsl.com (Postfix) with ESMTP id F353C1A036B for <kitten@ietf.org>; Tue, 17 Jun 2014 05:43:32 -0700 (PDT)
Received: from int-mx14.intmail.prod.int.phx2.redhat.com (int-mx14.intmail.prod.int.phx2.redhat.com [10.5.11.27]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s5HChU4m012014 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 17 Jun 2014 08:43:30 -0400
Received: from [10.3.113.187] (ovpn-113-187.phx2.redhat.com [10.3.113.187]) by int-mx14.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id s5HChTg6029226; Tue, 17 Jun 2014 08:43:29 -0400
Message-ID: <1403009009.22737.129.camel@willson.usersys.redhat.com>
From: Simo Sorce <simo@redhat.com>
To: "Zheng, Kai" <kai.zheng@intel.com>
Date: Tue, 17 Jun 2014 08:43:29 -0400
In-Reply-To: <8D5F7E3237B3ED47B84CF187BB17B666118F09D8@SHSMSX103.ccr.corp.intel.com>
References: <8D5F7E3237B3ED47B84CF187BB17B666118D870F@SHSMSX103.ccr.corp.intel.com> <1402609038.22737.57.camel@willson.usersys.redhat.com> <8D5F7E3237B3ED47B84CF187BB17B666118ED023@SHSMSX103.ccr.corp.intel.com> <1402663277.22737.60.camel@willson.usersys.redhat.com> <8D5F7E3237B3ED47B84CF187BB17B666118F09D8@SHSMSX103.ccr.corp.intel.com>
Organization: Red Hat, Inc.
Content-Type: text/plain; charset="UTF-8"
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.27
Archived-At: http://mailarchive.ietf.org/arch/msg/kitten/V2aXz2JGGWUsqVVM66TC8mDKP_Y
Cc: "kitten@ietf.org" <kitten@ietf.org>, "krbdev@mit.edu" <krbdev@mit.edu>
Subject: Re: [kitten] Token Preauth for Kerberos
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Jun 2014 12:43:34 -0000

On Tue, 2014-06-17 at 05:35 +0000, Zheng, Kai wrote:
> >> You need to modify something anyway, constrained delegation sound
> like a better way than trying to devise a whole new pre-auth plugin.
> As far as I know s4u2self & s4u2proxy plus contrained delegation are
> from MS and I'm not sure we could modify it as we need. A new
> token-preauth based on existing Kerberos and framework is more
> preferred for us since the plugin is easy to deploy, also we believe
> the mechanism using JWT token will open the door to integrate Kerberos
> with OAuth.

I think AD data can be added with s4u2self/s4u2proxy as well, what other
modifications do you have in mind ?

> >>However you should only transmit the authorization data, not the
> whole token, otherwise you destroy every single security property of
> Kerberos.
> >>I can't see any krb admin as accepting something like that.
> Yes I agree. As discussed with Greg and also said here in my previous
> email, we will not pass the token itself to service, instead token
> attributes or the derivation that can't be used to authenticate with
> KDC. 

Do you have a standardized AD element in mind, or are you going to
define a new one ?

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

v2.43.4 | Report a Bug | By Email | System Status