Re: [kitten] Kerberos Preauth Registration for OAuth2 device flow
Greg Hudson <ghudson@mit.edu> Wed, 10 November 2021 06:22 UTC
Return-Path: <ghudson@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 47F9B3A12C3 for <kitten@ietfa.amsl.com>; Tue, 9 Nov 2021 22:22:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.828
X-Spam-Level:
X-Spam-Status: No, score=-4.828 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, KHOP_HELO_FCRDNS=0.4, NICE_REPLY_A=-3.33, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mUfBVXuQitNW for <kitten@ietfa.amsl.com>; Tue, 9 Nov 2021 22:22:14 -0800 (PST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8565B3A12C2 for <kitten@ietf.org>; Tue, 9 Nov 2021 22:22:14 -0800 (PST)
Received: from [18.30.8.185] ([18.30.8.185]) (authenticated bits=0) (User authenticated as ghudson@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 1AA6M7pL003699 (version=TLSv1/SSLv3 cipher=AES128-GCM-SHA256 bits=128 verify=NOT); Wed, 10 Nov 2021 01:22:08 -0500
To: Sam Hartman <hartmans-ietf@mit.edu>, kitten@ietf.org
Cc: Pavel Březina <pbrezina@redhat.com>
References: <0100017d06db6c83-21cbd2ce-f371-48a9-88ce-5b6452842241-000000@email.amazonses.com>
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <99094d0b-6bc1-d896-4f70-83f2e1696eb3@mit.edu>
Date: Wed, 10 Nov 2021 01:22:07 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0
MIME-Version: 1.0
In-Reply-To: <0100017d06db6c83-21cbd2ce-f371-48a9-88ce-5b6452842241-000000@email.amazonses.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/lx3QEFXPnxTUT9UTMj4o9lWrXFA>
Subject: Re: [kitten] Kerberos Preauth Registration for OAuth2 device flow
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Nov 2021 06:22:18 -0000
On 11/9/21 5:39 PM, Sam Hartman wrote: > Basic approach. > The KDC provides the client a URI and a code (or a URI specific to that > authentication interaction.) > The client spawns a web browser, does stuff, and eventually somehow the > client lets its Kerberos app know that authentication has happened, and > then the KDC goes off to see if it believes that. > > AS far as I can tell, the reply key is never used (it is replaced) so a > long-term password is not needed. Some additional context: this is essentially the same user experience as one sees when authorizing a set-top box to a video streaming service using OAuth2. The initial proposal was to extend MIT krb5's FAST OTP implementation to support this on the back end. Although we got to the point of a working implementation, I decided to recommend a new preauth type because (1) sending an empty or meaningless otp-value doesn't fit the spirit of OTP preauth, and (2) displaying a properly localized prompt would require building a sub-protocol into the otp-challenge field. Like FAST OTP without must-encrypt-nonce, this mechanism replaces the reply key with the armor key, so that the mechanism can be used in place of a long-term password. > 1) It appears to have the same issues with anonymous pkinit that OTP > has. > You probably do not want to use this FAST factor with a armor ticket you > got from anonymous pkinit. > If you do, you need to verify the KDC's identity elsewhere. Note that MIT krb5's anonymous PKINIT implementation always authenticates the KDC (via its certificate, which must have a signature chain leading to an explicitly configured anchor). If a Kerberos client contains an implementation of unauthenticated PKINIT, I would expect it to also contain some facility for recognizing armor tickets that don't authenticate the KDC, and reject the use of those as armor for FAST OTP (without must-encrypt-nonce) or this mechanism. > 2) This effectively gives you an arbitrary URI that you have no way to > validate and encourages the user to go authenticate to that URI. > > * Appears to be a phishing vector Potentially, as is FAST OTP. One hopes that it is at least as difficult to fool a user into authenticating to a malicious Kerberos realm as it would be to directly fool the user into authenticating to the malicious URI. The user is not being asked to present any additional information of value to the given URI beyond what is necessary to authenticate, since the code is presented by the same authority as the URI. > * Appears to be a malicious code vector. I'm particularly concerned > about a case where this is part of machine login. You'd be running > potentially attacker supplied code in a pre-login context. I hope > your sandboxing is good. I don't think we're expecting the Kerberos client implementation to fire up its own web browser. As with a set-top box or similar device, the URL and code are presented to the user in a prompt. If this mechanism were used at login time, the user would probably have to run the browser on a different device. > On the interoperability side, the protocol between the KDC and the > OAuth provider does not appear to be described at all. > You get vendor lockin between a KDC and OAuth provider as far as I can > tell. Preauth mechs don't generally specify back-end protocols; certainly RFC 6560 does not. The FreeIPA implementation will (to the best of my knowledge) use RADIUS, with the URL and code being presented to the KDC in an Access-Challenge with an accompanying State. An encrypted PA-FX-COOKIE can be used to remember the state between the first client request and the second. There are some details that would have to be squared between interoperable implementations, such as the Access-Challenge format and the cookie format. (MIT documents its encrypted PA-FX-COOKIE facility, but there is likely to be some formatting of the preauth-type-specific cookie contents as well.) Luke wrote: > would the vendor consider defining as a GSS-API mechanism that could be used with draft-perez-krb-wg-gss-preauth? I think that would be a significant hurdle. Note that for a single-threaded KDC, this mechanism is ideally implemented with asynchronous communication between the KDC and the identity provider. A generic GSSAPI preauth bridge probably can't do that.
- [kitten] Kerberos Preauth Registration for OAuth2… Sam Hartman
- Re: [kitten] Kerberos Preauth Registration for OA… Luke Howard
- Re: [kitten] Kerberos Preauth Registration for OA… Greg Hudson
- Re: [kitten] Kerberos Preauth Registration for OA… Pavel Březina
- Re: [kitten] Kerberos Preauth Registration for OA… Sam Hartman
- Re: [kitten] Kerberos Preauth Registration for OA… Pavel Březina
- Re: [kitten] Kerberos Preauth Registration for OA… Sam Hartman
- Re: [kitten] Kerberos Preauth Registration for OA… Benjamin Kaduk
- Re: [kitten] Kerberos Preauth Registration for OA… Pavel Březina
- Re: [kitten] Kerberos Preauth Registration for OA… Greg Hudson
- Re: [kitten] Kerberos Preauth Registration for OA… Sam Hartman
- Re: [kitten] Kerberos Preauth Registration for OA… Greg Hudson
- Re: [kitten] Kerberos Preauth Registration for OA… Pavel Březina