IETF Logo Mail Archive

Re: [kitten] Checking the transited list of a kerberos ticket in a transitive cross-realm trust situation...

Stefan Metzmacher <metze@samba.org> Mon, 09 August 2021 09:00 UTC

Return-Path: <metze@samba.org>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 79DE13A0A3E for <kitten@ietfa.amsl.com>; Mon, 9 Aug 2021 02:00:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (3072-bit key) header.d=samba.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UfhGrjRM41bw for <kitten@ietfa.amsl.com>; Mon, 9 Aug 2021 02:00:09 -0700 (PDT)
Received: from hr2.samba.org (hr2.samba.org [IPv6:2a01:4f8:192:486::2:0]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4F9BE3A0A3B for <kitten@ietf.org>; Mon, 9 Aug 2021 02:00:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=samba.org; s=42; h=Date:Message-ID:From:Cc:To; bh=CWlIwO0c80xZCxL4sR47eLdNzUc//D/fAJvO2Rzo1mM=; b=ZcZvhpDEW0VJxt2bcALQq7H3Qz 30jor+lmmunLonTQvr3knY0k152uw5T3laLkIN5xRirup0tue36ApXDa/hYtyC5qbiQ0TkUUsQgVP gOVRPzwO+kepqiEfxXb0VOWokf3owqFYYjPA9sxBXp0cGIZ4fhz+lDIkFW/EErHwFcum8ohXzbn7Y yTacELlMhPlvXfiR6/qDfpBeR9jinqN/uVGXTGE7blUmPdVJSxotsMGm2r3FU97vreSA5uaaqVwTQ RFNwOPfy6fgsasvbUn4GuLf2r8DMrRAqPTavEatjysve5eah8E8TX5HMYmHAoNV7rRy79jdFfA2U6 9QWX8KCGfZtJDZ6EnmQpxHaUv5OrMm83GkdCIMbPWN+fzHwcPx440Bp/jXRQmB5UkZI9Fs+KCiB/p bSb8I5c9zn2vvTxtsiD5CChj6nWsl6j84zdT7HDgeS4Hv1wtjOXGGySf1WjOGxtZRLnRRAxcHakcG uuukzd31MghUWXI3oKgCTJsi;
Received: from [127.0.0.2] (localhost [127.0.0.1]) by hr2.samba.org with esmtpsa (TLS1.3:ECDHE_X25519__ECDSA_SECP256R1_SHA256__CHACHA20_POLY1305:256) (Exim) id 1mD18d-000KN9-Br; Mon, 09 Aug 2021 09:00:03 +0000
To: Greg Hudson <ghudson@mit.edu>, Nico Williams <nico@cryptonector.com>
Cc: kitten@ietf.org, Samba Technical <samba-technical@lists.samba.org>, "krbdev@mit.edu Dev List" <krbdev@mit.edu>
References: <69d80d24-d461-1652-3cfb-e55d90d31fbf@samba.org> <ec067a72-313e-1878-33a0-a3259d2979d5@mit.edu> <1503578184.3428.19.camel@redhat.com> <db882372-aa1d-e58e-4c94-a268539bd2ee@samba.org> <1503596189.3428.26.camel@redhat.com> <F363B51E-FDF7-4C91-9ABD-B623B5CE97BC@dukhovni.org> <8f68cfb0-2d6b-d86f-4ff0-a9282aa0bf55@samba.org> <cb0d7433-9e23-5bce-4e06-1213bf88cade@samba.org> <20191121223908.GC26241@localhost> <22f96c93-0217-0b2b-d7e1-684f9269fba4@samba.org> <20191122224526.GA28614@localhost> <8b72197d-2fcc-5b4f-4392-12d53d1ec624@samba.org> <5bcc2951-afdf-0849-5c16-f542afe214a1@samba.org> <3d693bdd-9a4c-7135-318e-593e18e52cd0@mit.edu> <9062428f-f26d-4f10-b71f-f54464df2ff4@samba.org> <c388e3f9-bf85-8ffd-3640-b27e0552a96a@samba.org> <276401e2-5d09-29d2-be1b-5e876f49c0eb@mit.edu>
From: Stefan Metzmacher <metze@samba.org>
Message-ID: <22c35d56-cc7b-e3b1-c357-d387f11d9d22@samba.org>
Date: Mon, 09 Aug 2021 10:59:58 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0
MIME-Version: 1.0
In-Reply-To: <276401e2-5d09-29d2-be1b-5e876f49c0eb@mit.edu>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="Xp3Yih5Hu6WcbkPjq8hyTMyVwN4ZgedUI"
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/i5lqsILQ5iOgV-aI78TzYXrmaRA>
Subject: Re: [kitten] Checking the transited list of a kerberos ticket in a transitive cross-realm trust situation...
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Aug 2021 09:00:15 -0000

Hi Greg,

> On 8/2/21 10:49 AM, Stefan Metzmacher wrote:
>> To summarize the discussion we had active directory DCs do transited
>> checking (even without a PAC) and fails to issue service tickets
>> if the check fails, so any service ticket is already checked,
>> but without TKT_FLG_TRANSIT_POLICY_CHECKED being added to the
>> ticket.
> 
> I just want to acknowledge here that we're taking on technical debt
> because the non-conformant party is perceived to be inflexible.
> 
>> The initial solution I proposed was:
>>
>> 	gss_set_cred_option(acceptor_creds, GSS_KRB5_CRED_NO_TRANSIT_CHECK_X)
> [...]
>> But it seems gss_set_cred_option() is not accepted because it's
>> a deprecated.
> 
> Personally I'm fine with this.

Ok, should I just use a different oid (I can allocate one from the Samba pool)
and submit the changes to MIT without the "wait for heimdal first" tag?

It would be great to have that in MIT and we can also apply it to
Samba's fork of Heimdal and have most Samba setups covered.

>> 1. An additional cred_store element could be passed to
>>    gss_acquire_cred_from() in order to set the
>>    GSS_CF_NO_TRANSIT_CHECK flag on acceptor_creds
> 
> This is similar to a cred option.  I don't see any strong advantages of
> one over the other.

Same here, I just wanted to find ways to make Nico happy.

>> 2. I think someone had the idea of using gss_set_sec_context_option()
> 
> This seems hard to do without (per-thread) global state.  Even if we
> bring in gss_create_sec_context() from some versions of the channel
> bindings draft, the mechglue doesn't know mechanism will be used to
> accept the context, so it would have to store OID/value pairs in the
> mechglue context and replay them to the mech context once it finds out
> which kind of mech context to create.  (And hope that all of the context
> option values are flat byte strings, not structures containing pointers
> to objects whose lifetimes might have expired between the
> set_cred_option() call and the first accept_sec_context() call.)
> 
> Doing this with global state seems strictly worse than communicating the
> flag via the cred.

Yes, it seems way to complex.

>> 3. Implement a krb5.conf option similar to "dns_canonicalize_hostname"
>>    or "ignore_acceptor_hostname" from MIT
> 
> I would argue for this to be a per-realm option if we do this, since
> it's a statement about a particular realm's KDCs being non-conformant.

Ok. I can also implement that in addition to the GSS_KRB5_CRED_NO_TRANSIT_CHECK_X
option.

Thanks for the feedback!
metze

v2.23.0 | Report a Bug | By Email