IETF Logo Mail Archive

Re: [kitten] Kerberos Preauth Registration for OAuth2 device flow

Greg Hudson <ghudson@mit.edu> Wed, 10 November 2021 06:22 UTC

Return-Path: <ghudson@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 47F9B3A12C3 for <kitten@ietfa.amsl.com>; Tue, 9 Nov 2021 22:22:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.828
X-Spam-Level:
X-Spam-Status: No, score=-4.828 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, KHOP_HELO_FCRDNS=0.4, NICE_REPLY_A=-3.33, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mUfBVXuQitNW for <kitten@ietfa.amsl.com>; Tue, 9 Nov 2021 22:22:14 -0800 (PST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8565B3A12C2 for <kitten@ietf.org>; Tue, 9 Nov 2021 22:22:14 -0800 (PST)
Received: from [18.30.8.185] ([18.30.8.185]) (authenticated bits=0) (User authenticated as ghudson@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 1AA6M7pL003699 (version=TLSv1/SSLv3 cipher=AES128-GCM-SHA256 bits=128 verify=NOT); Wed, 10 Nov 2021 01:22:08 -0500
To: Sam Hartman <hartmans-ietf@mit.edu>, kitten@ietf.org
Cc: Pavel Březina <pbrezina@redhat.com>
References: <0100017d06db6c83-21cbd2ce-f371-48a9-88ce-5b6452842241-000000@email.amazonses.com>
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <99094d0b-6bc1-d896-4f70-83f2e1696eb3@mit.edu>
Date: Wed, 10 Nov 2021 01:22:07 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0
MIME-Version: 1.0
In-Reply-To: <0100017d06db6c83-21cbd2ce-f371-48a9-88ce-5b6452842241-000000@email.amazonses.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/lx3QEFXPnxTUT9UTMj4o9lWrXFA>
Subject: Re: [kitten] Kerberos Preauth Registration for OAuth2 device flow
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Nov 2021 06:22:18 -0000

On 11/9/21 5:39 PM, Sam Hartman wrote:
> Basic approach.
> The KDC provides the client a URI  and a code (or a URI specific to that
> authentication interaction.)
> The client spawns a web browser, does stuff, and eventually somehow the
> client lets its Kerberos app know that authentication has happened, and
> then the KDC goes off to see if it believes that.
> 
> AS far as I can tell, the reply key is never used (it is replaced) so a
> long-term password is not needed.

Some additional context: this is essentially the same user experience as
one sees when authorizing a set-top box to a video streaming service
using OAuth2.  The initial proposal was to extend MIT krb5's FAST OTP
implementation to support this on the back end.  Although we got to the
point of a working implementation, I decided to recommend a new preauth
type because (1) sending an empty or meaningless otp-value doesn't fit
the spirit of OTP preauth, and (2) displaying a properly localized
prompt would require building a sub-protocol into the otp-challenge field.

Like FAST OTP without must-encrypt-nonce, this mechanism replaces the
reply key with the armor key, so that the mechanism can be used in place
of a long-term password.

> 1) It appears to have the same   issues with anonymous pkinit that OTP
> has.
> You probably do not want to use this FAST factor with a armor ticket you
> got from anonymous pkinit.
> If you do, you need to verify the KDC's identity elsewhere.

Note that MIT krb5's anonymous PKINIT implementation always
authenticates the KDC (via its certificate, which must have a signature
chain leading to an explicitly configured anchor).

If a Kerberos client contains an implementation of unauthenticated
PKINIT, I would expect it to also contain some facility for recognizing
armor tickets that don't authenticate the KDC, and reject the use of
those as armor for FAST OTP (without must-encrypt-nonce) or this mechanism.

> 2) This effectively gives you an arbitrary URI that you have no way to
> validate and encourages the user to go authenticate to that URI.
> 
>   * Appears to be a phishing vector

Potentially, as is FAST OTP.  One hopes that it is at least as difficult
to fool a user into authenticating to a malicious Kerberos realm as it
would be to directly fool the user into authenticating to the malicious
URI.  The user is not being asked to present any additional information
of value to the given URI beyond what is necessary to authenticate,
since the code is presented by the same authority as the URI.

>   * Appears to be a malicious code vector.  I'm particularly concerned
>     about a case where this is part of machine login.  You'd be running
>     potentially attacker supplied  code in a pre-login context.  I hope
>     your sandboxing is good.

I don't think we're expecting the Kerberos client implementation to fire
up its own web browser.  As with a set-top box or similar device, the
URL and code are presented to the user in a prompt.  If this mechanism
were used at login time, the user would probably have to run the browser
on a different device.

> On the interoperability side, the protocol between the KDC  and the
> OAuth provider does not appear to be described at all.
> You get vendor lockin between a KDC and OAuth provider as far as I can
> tell.

Preauth mechs don't generally specify back-end protocols; certainly RFC
6560 does not.  The FreeIPA implementation will (to the best of my
knowledge) use RADIUS, with the URL and code being presented to the KDC
in an Access-Challenge with an accompanying State.  An encrypted
PA-FX-COOKIE can be used to remember the state between the first client
request and the second.  There are some details that would have to be
squared between interoperable implementations, such as the
Access-Challenge format and the cookie format.  (MIT documents its
encrypted PA-FX-COOKIE facility, but there is likely to be some
formatting of the preauth-type-specific cookie contents as well.)

Luke wrote:
> would the vendor consider defining as a GSS-API mechanism that could be used with draft-perez-krb-wg-gss-preauth?

I think that would be a significant hurdle.  Note that for a
single-threaded KDC, this mechanism is ideally implemented with
asynchronous communication between the KDC and the identity provider.  A
generic GSSAPI preauth bridge probably can't do that.

v2.23.0 | Report a Bug | By Email