IETF Logo Mail Archive

Re: [kitten] Token Preauth for Kerberos

Thomas Hardjono <hardjono@MIT.EDU> Tue, 10 June 2014 15:10 UTC

Return-Path: <hardjono@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2DA021B27FF for <kitten@ietfa.amsl.com>; Tue, 10 Jun 2014 08:10:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.252
X-Spam-Level:
X-Spam-Status: No, score=-3.252 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FDKwpZgRsCSX for <kitten@ietfa.amsl.com>; Tue, 10 Jun 2014 08:10:06 -0700 (PDT)
Received: from dmz-mailsec-scanner-6.mit.edu (dmz-mailsec-scanner-6.mit.edu [18.7.68.35]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 98F491B2802 for <kitten@ietf.org>; Tue, 10 Jun 2014 08:10:05 -0700 (PDT)
X-AuditID: 12074423-f79916d000000c54-a2-53971fcce8d7
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-6.mit.edu (Symantec Messaging Gateway) with SMTP id 07.F6.03156.CCF17935; Tue, 10 Jun 2014 11:10:04 -0400 (EDT)
Received: from outgoing-exchange-1.mit.edu (outgoing-exchange-1.mit.edu [18.9.28.15]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id s5AFA32l001809; Tue, 10 Jun 2014 11:10:04 -0400
Received: from OC11EXEDGE3.EXCHANGE.MIT.EDU (oc11exedge3.exchange.mit.edu [18.9.3.21]) by outgoing-exchange-1.mit.edu (8.13.8/8.12.4) with ESMTP id s5AFA22e014699; Tue, 10 Jun 2014 11:10:03 -0400
Received: from OC11EXHUB9.exchange.mit.edu (18.9.3.23) by OC11EXEDGE3.EXCHANGE.MIT.EDU (18.9.3.21) with Microsoft SMTP Server (TLS) id 14.3.158.1; Tue, 10 Jun 2014 11:09:53 -0400
Received: from OC11EXPO24.exchange.mit.edu ([169.254.1.212]) by OC11EXHUB9.exchange.mit.edu ([18.9.3.23]) with mapi id 14.03.0158.001; Tue, 10 Jun 2014 11:10:01 -0400
From: Thomas Hardjono <hardjono@MIT.EDU>
To: "kitten@ietf.org" <kitten@ietf.org>, "krbdev@mit.edu" <krbdev@mit.edu>
Thread-Topic: Token Preauth for Kerberos
Thread-Index: Ac95oBHY/v5P0th/QSGCBpa/sVINTQLHZRBA
Date: Tue, 10 Jun 2014 15:10:00 +0000
Message-ID: <5E393DF26B791A428E5F003BB6C5342A71539056@OC11EXPO24.exchange.mit.edu>
References: <8D5F7E3237B3ED47B84CF187BB17B666118D870F@SHSMSX103.ccr.corp.intel.com>
In-Reply-To: <8D5F7E3237B3ED47B84CF187BB17B666118D870F@SHSMSX103.ccr.corp.intel.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [18.111.19.235]
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_001E_01CF849C.84C8CAF0"
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFupjk+LIzCtJLcpLzFFi42IR4hRV1j0jPz3YYGqfhsXRzatYHBg9liz5 yRTAGMVlk5Kak1mWWqRvl8CVcep8E2vBt7SKB3dvsDUwfo3tYuTkkBAwkVi8bwozhC0mceHe ejYQW0hgNpNE92u+LkYuIPsAo8SahoVMEM5xRomW7R8YIZxtjBKPZj9mgXBWMUp8+t/EDtLP JqAhce73XjBbRMBL4s+F3WC2sIC6xN9/nVBxDYlfKw9D2UYSmxa+ZgSxWQRUJbqXX2YCsXkF giRebZjCAnFTsMS15vlgt3IKhEjM+ziFFcRmBLr7+6k1YPXMAuISt57MZ4L4R0Ti4cXTbDC/ /dv1EMpWlGhsn8YMcjSzQC+jxPYji6CWCUqcnPmEZQKj+Cwks2Yhq5uFpA6iyEDi/qEOVghb W2LZwtfMELa1xIxfB9kgbEWJKd0P2SFsU4nXRz8yLmDkWMUom5JbpZubmJlTnJqsW5ycmJeX WqRrppebWaKXmlK6iREUvewuyjsY/xxUOsQowMGoxMN7QGJ6sBBrYllxZe4hRkkOJiVR3s9S QCG+pPyUyozE4oz4otKc1OJDjCpAux5tWH2BUYolLz8vVUmEt+3vtGAh3pTEyqrUonyYMmkO FiVx3rfWVsFCAumJJanZqakFqUUwWRkODiUJXh85oAWCRanpqRVpmTklCGkmDs5DjBIcPEDD DUBqeIsLEnOLM9Mh8qcYdTluNZxpYxICu0BKnDdBFqhIAKQoozQPbg4sGb9iFAd6UZg3FmQU DzCRw016BbSECWiJaMRUkCUliQgpqQZGEyF2a1XbnewTM92nZZupB/J/fDVL9fWpLpnIz3vY PgVIs69iNJVwLClWeP+0Qbw6Y73lCvNdn+ZPyA8W+xQkpbZs1cngjLLPXnt0zk4WkZ/d11wb mmjPsCNlSf1ll7XvgpyFCk6yhJZpH/8l4yJu09Ibkudy+4qeVai8/vOZy6zCLdYpVymxFGck GmoxFxUnAgDIubwBoQMAAA==
Archived-At: http://mailarchive.ietf.org/arch/msg/kitten/dTW17KGmVeFRWl3qFNqdfAziRII
Subject: Re: [kitten] Token Preauth for Kerberos
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Jun 2014 15:10:09 -0000

Kai,

I think a token-preauth mechanism would be a very
useful addition to the set of mechanisms that we
have today.  

When do you plan to submit the draft to the KITTEN
WG?

Best.

/thomas/


____________________________________________


From: Kitten [mailto:kitten-bounces@ietf.org] On
Behalf Of Zheng, Kai
Sent: Tuesday, June 10, 2014 8:19 AM
To: kitten@ietf.org; krbdev@mit.edu
Subject: [kitten] Token Preauth for Kerberos

Hi all,

I would like to mention an effort regarding
Kerberos and propose a new Kerberos preauth
mechanism, token-preauth. Before dive into that,
please kindly allow me to introduce, mainly for
the background and scenario for the proposal.

I’m an engineer from Intel and develop identity
and security related products. The current focus
is Apache Hadoop, and our goal is enabling Hadoop
to support more authentication mechanisms and
providers. Currently Hadoop only supports Kerberos
authentication method as the built-in secured one
and it’s not easy to add more since it involves
changing into many projects on top of it in the
large ecosystem. The community had proposed a
token based authentication, planned to add
TokenAuth method for Hadoop and by TokenAuth then
all kinds of authentication providers can be
supported since their authentication results can
be wrapped into token, and the token can be
employed to authenticate to Hadoop across the
ecosystem. The effort is still undergoing.
Considering the complexity, risk and deployment
overhead of this approach, our team investigate
and think of another possible solution, i.e.
support token in Kerberos. The basic idea is allow
end users to authenticate to Kerberos with their
tokens and obtain tickets, then access Hadoop
services using the tickets as current flow goes.
The PoC was already done, and we make it work
seamlessly from MIT Kerberos to Java world and
Hadoop. However we think it’s very important to
get the key point token-preauth be reviewed by you
security and Kerberos experts, to make sure it’s
defined and implemented in compliance with the
existing standards and protocols, without
involving security critical leaks. So please
kindly give your feedback and we appreciate it.


The proposal – Kerberos token-preauth

This proposes to add another preauthentication
mechanism similar to OTP and PKINIT for Kerberos,
based on Kerberos preauthentication framework and
FAST tunnel. It allows 3rd party token in JWT
format like OAuth bearer token can be used as
credential to authenticate to KDC for a normal
principal instead of user password. When using the
token to request a tgt, the user name or other
attributes claimed in the token must match the
target Kerberos principal. PKI is used to
establish the trust relationship between 3rd party
token issuer and KDC. According to configured
certificate and public/private keys KDC decrypt
and verify the token, and determines to issue
ticket or not according to configured policy. The
token itself will be wrapped into ticket as new
authorization data and carried on to application
server side. The tgt and derived service ticket
resulted from token are not in much difference
except the contained token and work exactly as
normally. Besides that in application servers,
token can be extracted from service ticket and
employed further to do fine-grained authorization
since the token can contain rich identity
attributes.


POC implementation

1.       We implement a token-preauth plugin for
MIT Kerberos like OTP one and it does all the
necessary work that should be done for Kerberos
itself in both client side and KDC side. We need
update krb5.conf and kdc.conf to use and enable
the mechanism. The plugin is a so module and can
be separately installed/deployed. To protect token
between client and KDC in KDC-REQ/KDC-REP
exchanges, FAST must be used, therefore we suggest
PKINIT be deployed also.
2.       For end users, we provide ktinit tool as
follows:
ktinit -h
This tool uses token to authenticate to KDC and
obtains tgt for you.
ktinit [-t token | -T token-cache-file] [-c
kerb-ccache-file]
      when no token specified, ~/.tokenauth.token
will be used by default

In the behind, it requests the needed armor ticket
using PKINIT anonymous and then executes kinit
with the armor ticket and token with –X option,
gets tgt and puts the tgt in specified credential
cache
3.       For JAVA application servers (Apache
Hadoop services), we figured out how to extract
token from service tickets from both GSSAPI layer
and SASL layer.

It’s planned to have a draft for this work. Our
team is making effort to enable Kerberos to be
easily deployed in large Hadoop clusters and big
data platform and can integrate with other authn &
authz solutions well from enterprise and internet.
Thanks for your input, feedback and correction.

Regards,
Kai

v2.30.2 | Report a Bug | By Email | System Status