IETF Logo Mail Archive

Re: [kitten] Checking the transited list of a kerberos ticket in a transitive cross-realm trust situation...

Greg Hudson <ghudson@mit.edu> Thu, 24 August 2017 00:38 UTC

Return-Path: <ghudson@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 475AF132A92 for <kitten@ietfa.amsl.com>; Wed, 23 Aug 2017 17:38:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BGsqtjMrcoRd for <kitten@ietfa.amsl.com>; Wed, 23 Aug 2017 17:38:14 -0700 (PDT)
Received: from dmz-mailsec-scanner-5.mit.edu (dmz-mailsec-scanner-5.mit.edu [18.7.68.34]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A5E781200B9 for <kitten@ietf.org>; Wed, 23 Aug 2017 17:38:14 -0700 (PDT)
X-AuditID: 12074422-44bff7000000158d-97-599e1ff36334
Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-5.mit.edu (Symantec Messaging Gateway) with SMTP id 6F.7C.05517.3FF1E995; Wed, 23 Aug 2017 20:38:11 -0400 (EDT)
Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id v7O0cAkT018476; Wed, 23 Aug 2017 20:38:11 -0400
Received: from [18.101.8.119] (VPN-18-101-8-119.MIT.EDU [18.101.8.119]) (authenticated bits=0) (User authenticated as ghudson@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v7O0c7ML024924 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Wed, 23 Aug 2017 20:38:09 -0400
To: Stefan Metzmacher <metze@samba.org>, heimdal-discuss@h5l.org, "krbdev@mit.edu Dev List" <krbdev@mit.edu>, "kitten@ietf.org" <kitten@ietf.org>, Samba Technical <samba-technical@lists.samba.org>
References: <f33d5f68-1fdc-c1bc-c702-70b054880bb4@samba.org> <649fa812-aacf-80b6-1976-a719eca60fc2@mit.edu> <33c431f5-c36b-c321-de3f-65977d8aa898@samba.org> <007c29e8-02b9-4f48-f67e-881cb0985d64@mit.edu> <69d80d24-d461-1652-3cfb-e55d90d31fbf@samba.org>
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <ec067a72-313e-1878-33a0-a3259d2979d5@mit.edu>
Date: Wed, 23 Aug 2017 20:38:07 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <69d80d24-d461-1652-3cfb-e55d90d31fbf@samba.org>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrKIsWRmVeSWpSXmKPExsUixG6novtZfl6kwYUWM4tVvR1sFkc3r2Kx uLjsJ4vFnyX72R1YPI59vsLosWTJTyaP+bNnMXnM3dXHGMASxWWTkpqTWZZapG+XwJVx//9S toLdHBWH/19kaWB8wtbFyMkhIWAicfTVZGYQW0hgMZPEux2uXYxcQPZGRonL054zQThHmSQW bj/M2MXIwSEsUC5xa1MoSFxE4CGjRMPzpcwQRS1MEpOWTWECGcUmoCyxfv9WFhCbV8BKYnrj arAVLAKqEv/ebgJbLSoQIfGwcxc7RI2gxMmZT8DqOQVsJSa/6wazmQX0JHZc/8UKYctLbH87 h3kCI/8sJC2zkJTNQlK2gJF5FaNsSm6Vbm5iZk5xarJucXJiXl5qka6pXm5miV5qSukmRnDo uijtYJz4z+sQowAHoxIPr8aSuZFCrIllxZW5hxglOZiURHmfSM+LFOJLyk+pzEgszogvKs1J LT7EKMHBrCTCmyQHlONNSaysSi3Kh0lJc7AoifOKazRGCAmkJ5akZqemFqQWwWRlODiUJHid QRoFi1LTUyvSMnNKENJMHJwgw3mAhruCDS8uSMwtzkyHyJ9iVJQS550PkhAASWSU5sH1glNL Kkf5K0ZxoFeEefeDVPEA0xJc9yugwUxAgyedmAMyuCQRISXVwGi9sS57advjC4dOh+2Q8TWc ECoS0yl80elR6v9Z5RpMzUZlr//+FUp4xPXHT+CrgLb/F121mAtiCn4G20tXzU7/aNTPtJhD lWfxGu43+w90aYpISs52mtEjkHN/bWmo8E/DXz7SHpy5Dt5z5s+QnfLYuLArPOSTYe+sN3Pn swiGq+qHzG/iVWIpzkg01GIuKk4EAP1MbXkIAwAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/aJ-DRjICZJXt8LC2EMLFsYhmptw>
Subject: Re: [kitten] Checking the transited list of a kerberos ticket in a transitive cross-realm trust situation...
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Aug 2017 00:38:16 -0000

On 08/23/2017 07:01 PM, Stefan Metzmacher wrote:
>> I think we should first consider whether it would be sufficient for MIT
>> krb5 to suppress the rd_req transited check if the
>> TRANSITED-POLICY-CHECKED flag is set in the ticket.  MIT and Heimdal
>> KDCs both appear to perform the transited check and set the flag by default.
> 
> But Windows KDCs doesn't set this bit (I guess because it's just not
> useful).

I don't agree at all that the bit isn't useful.  That bit is how a KDC
communicates that it vouches for the transited path.  Unfortunately, you
do appear to be correct about Windows KDCs.  MS-KILE says:

    The TRANSITED-POLICY-CHECKED flag ([RFC4120] section 2.7): KILE
    MUST NOT check for transited domains on servers or a KDC.
    Application servers MUST ignore the TRANSITED-POLICYCHECKED flag.

which basically means Microsoft has declined to conform to RFC 4120 in
this area, instead requiring servers to implement PACs to interoperate
in a cross-realm environment.

I guess the proposed credential option is necessary, in that case.

v2.23.0 | Report a Bug | By Email