IETF Logo Mail Archive

Re: [kitten] Token Preauth for Kerberos

"Nordgren, Bryce L -FS" <bnordgren@fs.fed.us> Tue, 10 June 2014 20:57 UTC

Return-Path: <bnordgren@fs.fed.us>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 80D8A1A0439 for <kitten@ietfa.amsl.com>; Tue, 10 Jun 2014 13:57:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7hlAA_jOD4-O for <kitten@ietfa.amsl.com>; Tue, 10 Jun 2014 13:57:34 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0206.outbound.protection.outlook.com [207.46.163.206]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 557651A02F4 for <kitten@ietf.org>; Tue, 10 Jun 2014 13:57:34 -0700 (PDT)
Received: from BY2PR06CA032.namprd06.prod.outlook.com (10.141.250.150) by BY2PR06MB043.namprd06.prod.outlook.com (10.242.44.143) with Microsoft SMTP Server (TLS) id 15.0.954.9; Tue, 10 Jun 2014 20:57:31 +0000
Received: from BN1AFFO11FD040.protection.gbl (2a01:111:f400:7c10::124) by BY2PR06CA032.outlook.office365.com (2a01:111:e400:2c60::22) with Microsoft SMTP Server (TLS) id 15.0.959.24 via Frontend Transport; Tue, 10 Jun 2014 20:57:31 +0000
Received: from mail.usda.gov (199.135.140.17) by BN1AFFO11FD040.mail.protection.outlook.com (10.58.52.251) with Microsoft SMTP Server (TLS) id 15.0.959.15 via Frontend Transport; Tue, 10 Jun 2014 20:57:30 +0000
Received: from 001FSN2MMR1-011.001f.mgd2.msft.net (199.135.140.50) by 001FSN2MMR1-007.001f.mgd2.msft.net (199.135.140.17) with Microsoft SMTP Server (TLS) id 14.3.181.7; Tue, 10 Jun 2014 20:56:41 +0000
Received: from 001FSN2MPN1-044.001f.mgd2.msft.net ([169.254.4.134]) by 001FSN2MMR1-011.001f.mgd2.msft.net ([199.135.140.50]) with mapi id 14.03.0181.007; Tue, 10 Jun 2014 20:56:41 +0000
From: "Nordgren, Bryce L -FS" <bnordgren@fs.fed.us>
To: "Zheng, Kai" <kai.zheng@intel.com>, "kitten@ietf.org" <kitten@ietf.org>, "krbdev@mit.edu" <krbdev@mit.edu>
Thread-Topic: Token Preauth for Kerberos
Thread-Index: Ac95oBHY/v5P0th/QSGCBpa/sVINTQLSYH4w
Date: Tue, 10 Jun 2014 20:56:41 +0000
Message-ID: <82E7C9A01FD0764CACDD35D10F5DFB6E6D5EBE@001FSN2MPN1-044.001f.mgd2.msft.net>
References: <8D5F7E3237B3ED47B84CF187BB17B666118D870F@SHSMSX103.ccr.corp.intel.com>
In-Reply-To: <8D5F7E3237B3ED47B84CF187BB17B666118D870F@SHSMSX103.ccr.corp.intel.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [166.7.27.63]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:199.135.140.17; CTRY:US; IPV:NLI; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(6009001)(438001)(199002)(189002)(2171001)(23726002)(46406003)(50986999)(69596002)(21056001)(50466002)(97736001)(33656002)(2656002)(87936001)(99396002)(68736004)(81156002)(86362001)(16796002)(6806004)(84676001)(74502001)(19580405001)(47776003)(4396001)(74662001)(79102001)(83322001)(44976005)(74482001)(55846006)(81542001)(81342001)(77982001)(46102001)(92726001)(54356999)(551544002)(2201001)(86146001)(92566001)(31966008)(97756001)(85852003)(80022001)(76176999)(76482001)(64706001)(83072002)(20776003)(66066001)(80862004); DIR:OUT; SFP:; SCL:1; SRVR:BY2PR06MB043; H:mail.usda.gov; FPR:; MLV:sfv; PTR:InfoDomainNonexistent; A:1; MX:1; LANG:en;
X-Microsoft-Antispam: BL:0; ACTION:Default; RISK:Low; SCL:0; SPMLVL:NotSpam; PCL:0; RULEID:
X-Forefront-PRVS: 0238AEEDB0
Received-SPF: Pass (: domain of fs.fed.us designates 199.135.140.17 as permitted sender) receiver=; client-ip=199.135.140.17; helo=mail.usda.gov;
Authentication-Results: spf=pass (sender IP is 199.135.140.17) smtp.mailfrom=bnordgren@fs.fed.us;
X-OriginatorOrg: fs.fed.us
Archived-At: http://mailarchive.ietf.org/arch/msg/kitten/mP3CgngUli_KdIUP4EILPbrWoOs
Subject: Re: [kitten] Token Preauth for Kerberos
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Jun 2014 20:57:36 -0000

>This proposes to add another preauthentication mechanism similar to
>OTP and PKINIT for Kerberos, based on Kerberos preauthentication
>framework and FAST tunnel. It allows 3rd party token in JWT format
>like OAuth bearer token can be used as credential to authenticate to
>KDC for a normal principal instead of user password. When using the
>token to request a tgt, the user name or other attributes claimed in the
>token must match the target Kerberos principal. PKI is used to establish
>the trust relationship between 3rd party token issuer and KDC.

Very cool.

Might I ask how you map identities from the 3rd party scheme into the Kerberos PRINCIPAL@REALM scheme? I assume from the above that the actual binding is performed using a kx509 certificate issued by a trusted CA? Is there a proposed algorithm to generate Kerberos identities from 3rd party ones, or is this a function of the CA?

Let me back up a bit. Is this being proposed as a gateway such that identities from 3rd party identity systems have a standardized representation in Kerberos (thus ensuring that tokens and Kerberos identities are correctly associated)? Or is this a means for manually created users in the local KDC to use their "regular" password? If the latter, how does one ensure that the same person is in control of the Kerberos identity and the external one?

Bryce
PS: Is your MIT krb5 plugin code somewhere public? :)






This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately.

v2.30.2 | Report a Bug | By Email | System Status