IETF Logo Mail Archive

Re: [kitten] Token Preauth for Kerberos

Simo Sorce <simo@redhat.com> Thu, 12 June 2014 21:37 UTC

Return-Path: <simo@redhat.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8794A1A025E for <kitten@ietfa.amsl.com>; Thu, 12 Jun 2014 14:37:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.553
X-Spam-Level:
X-Spam-Status: No, score=-7.553 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.651, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4CkqHCKvEv7q for <kitten@ietfa.amsl.com>; Thu, 12 Jun 2014 14:37:20 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by ietfa.amsl.com (Postfix) with ESMTP id 1AF731A01CE for <kitten@ietf.org>; Thu, 12 Jun 2014 14:37:20 -0700 (PDT)
Received: from int-mx11.intmail.prod.int.phx2.redhat.com (int-mx11.intmail.prod.int.phx2.redhat.com [10.5.11.24]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s5CLbJ6i022433 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 12 Jun 2014 17:37:19 -0400
Received: from [10.3.113.187] (ovpn-113-187.phx2.redhat.com [10.3.113.187]) by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id s5CLbIIt010555; Thu, 12 Jun 2014 17:37:19 -0400
Message-ID: <1402609038.22737.57.camel@willson.usersys.redhat.com>
From: Simo Sorce <simo@redhat.com>
To: "Zheng, Kai" <kai.zheng@intel.com>
Date: Thu, 12 Jun 2014 17:37:18 -0400
In-Reply-To: <8D5F7E3237B3ED47B84CF187BB17B666118D870F@SHSMSX103.ccr.corp.intel.com>
References: <8D5F7E3237B3ED47B84CF187BB17B666118D870F@SHSMSX103.ccr.corp.intel.com>
Organization: Red Hat, Inc.
Content-Type: text/plain; charset="UTF-8"
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.24
Archived-At: http://mailarchive.ietf.org/arch/msg/kitten/n-xF6FzVxPzETC-nYIcez849LGc
Cc: "kitten@ietf.org" <kitten@ietf.org>, "krbdev@mit.edu" <krbdev@mit.edu>
Subject: Re: [kitten] Token Preauth for Kerberos
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Jun 2014 21:37:21 -0000

On Tue, 2014-06-10 at 12:19 +0000, Zheng, Kai wrote:
> Hi all,
> 
> I would like to mention an effort regarding Kerberos and propose a new
> Kerberos preauth mechanism, token-preauth. Before dive into that,
> please kindly allow me to introduce, mainly for the background and
> scenario for the proposal.
> 
> I'm an engineer from Intel and develop identity and security related
> products. The current focus is Apache Hadoop, and our goal is enabling
> Hadoop to support more authentication mechanisms and providers.
> Currently Hadoop only supports Kerberos authentication method as the
> built-in secured one and it's not easy to add more since it involves
> changing into many projects on top of it in the large ecosystem. The
> community had proposed a token based authentication, planned to add
> TokenAuth method for Hadoop and by TokenAuth then all kinds of
> authentication providers can be supported since their authentication
> results can be wrapped into token, and the token can be employed to
> authenticate to Hadoop across the ecosystem. The effort is still
> undergoing. Considering the complexity, risk and deployment overhead
> of this approach, our team investigate and think of another possible
> solution, i.e. support token in Kerberos. The basic idea is allow end
> users to authenticate to Kerberos with their tokens and obtain
> tickets, then access Hadoop services using the tickets as current flow
> goes. The PoC was already done, and we make it work seamlessly from
> MIT Kerberos to Java world and Hadoop. However we think it's very
> important to get the key point token-preauth be reviewed by you
> security and Kerberos experts, to make sure it's defined and
> implemented in compliance with the existing standards and protocols,
> without involving security critical leaks. So please kindly give your
> feedback and we appreciate it.

Kai,
have you considered protocol transition (s4u2self) + constrained
delegation (s4u2proxy) to get tickets at an authentication gateway
instead of a new pre auth mechanism ?

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

v2.30.2 | Report a Bug | By Email | System Status