IETF Logo Mail Archive

Re: [kitten] Checking the transited list of a kerberos ticket in a transitive cross-realm trust situation...

Greg Hudson <ghudson@mit.edu> Tue, 22 August 2017 15:02 UTC

Return-Path: <ghudson@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C7561321A8 for <kitten@ietfa.amsl.com>; Tue, 22 Aug 2017 08:02:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s0uOdZqKQ7-c for <kitten@ietfa.amsl.com>; Tue, 22 Aug 2017 08:02:47 -0700 (PDT)
Received: from dmz-mailsec-scanner-6.mit.edu (dmz-mailsec-scanner-6.mit.edu [18.7.68.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 58B291320CC for <kitten@ietf.org>; Tue, 22 Aug 2017 08:02:47 -0700 (PDT)
X-AuditID: 12074423-c75ff7000000725a-30-599c47964206
Received: from mailhub-auth-3.mit.edu ( [18.9.21.43]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-6.mit.edu (Symantec Messaging Gateway) with SMTP id 6B.B1.29274.6974C995; Tue, 22 Aug 2017 11:02:46 -0400 (EDT)
Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id v7MF2iEV003126; Tue, 22 Aug 2017 11:02:45 -0400
Received: from [18.101.8.135] (VPN-18-101-8-135.MIT.EDU [18.101.8.135]) (authenticated bits=0) (User authenticated as ghudson@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v7MF2f4t031525 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Tue, 22 Aug 2017 11:02:42 -0400
To: Stefan Metzmacher <metze@samba.org>, heimdal-discuss@h5l.org, "krbdev@mit.edu Dev List" <krbdev@mit.edu>, "kitten@ietf.org" <kitten@ietf.org>, Samba Technical <samba-technical@lists.samba.org>
References: <f33d5f68-1fdc-c1bc-c702-70b054880bb4@samba.org> <649fa812-aacf-80b6-1976-a719eca60fc2@mit.edu> <33c431f5-c36b-c321-de3f-65977d8aa898@samba.org>
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <007c29e8-02b9-4f48-f67e-881cb0985d64@mit.edu>
Date: Tue, 22 Aug 2017 11:02:40 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <33c431f5-c36b-c321-de3f-65977d8aa898@samba.org>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrKIsWRmVeSWpSXmKPExsUixCmqrTvNfU6kwe41IharejvYLI5uXsVi cXHZTxaLP0v2szuweBz7fIXRY8mSn0we82fPYvKYu6uPMYAlissmJTUnsyy1SN8ugSvjSc90 toLVIhXPnzxjaWA8JdDFyMkhIWAi8WzfbuYuRi4OIYHFTBKrjr1gh3A2MkrsPzuHEcI5yiQx 8WoTSxcjB4ewQLnErU2hIHERgYeMEg3PlzKDjBISWMAoMf+OHojNJqAssX7/VhYQm1fASuLl pgZWEJtFQFVi0tw17CC2qECExMPOXewQNYISJ2c+AavnFLCV2Nh7lgnEZhbQk9hx/RcrhC0v sf3tHOYJjPyzkLTMQlI2C0nZAkbmVYyyKblVurmJmTnFqcm6xcmJeXmpRbpmermZJXqpKaWb GEGhy+6ivIPxZZ/3IUYBDkYlHl4L6zmRQqyJZcWVuYcYJTmYlER5J3+fHSnEl5SfUpmRWJwR X1Sak1p8iFGCg1lJhNfLCaicNyWxsiq1KB8mJc3BoiTOK67RGCEkkJ5YkpqdmlqQWgSTleHg UJLg7XcDahQsSk1PrUjLzClBSDNxcIIM5wEavgSkhre4IDG3ODMdIn+KUVFKnHebK1BCACSR UZoH1wtOLakc7a8YxYFeEebdCtLOA0xLcN2vgAYzAQ02bJ0GMrgkESEl1cCotkZgh0lnyeqF nL8m1i5dztg+++C1zXcs5J7eU7bzWqq+7N+RENepbdLzdTaavWmZJLXpSvJzpbUtTgcm3Gg4 NXPNdumYrvwg1men+6Uqsle81rU99/fU+Qf9BXYB/1ZbnlAQf1Px/sKcSwq/ZPe7f7hf4/vs kM5JI9YNq2MiJ0wPKDPcV8YRr8RSnJFoqMVcVJwIAIzy1FwIAwAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/oPztXhE-OfncTNIJnYyFztlwmxI>
Subject: Re: [kitten] Checking the transited list of a kerberos ticket in a transitive cross-realm trust situation...
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Aug 2017 15:02:49 -0000

On 08/22/2017 07:22 AM, Stefan Metzmacher wrote:
>> I'm not sure about "any KDC in the trust chain trusts the next hop."
>> RFC 4120 doesn't think about cross-realm relationships in terms of
>> trust.  Simply having cross-realm keys with another realm doesn't
>> necessarily imply that the other realm is trustworthy.

> At least it allows the other realm to issue cross-realm referral
> tickets, which the local realm will most likely convert into service
> tickets which can be used by a principal of the other realm to
> access services in the local realm.

To authenticate, yes; whether that provides any access depends on the
services in the local realm.

> And the client principal names (including client realm) in the
> cross-realm ticket can contain any value, which is fully controlled
> by the other realms KDCs.

Yes, which makes it the local realm's job (either at the KDC or the
application server) to decide whether the other realm's KDC should be
able to claim that client realm name.  Completely trusting the foreign
realm is one option, but that option mostly restricts cross-realm
relationships to foreign realms of equal or greater privilege.  (I say
"mostly" because a KDC can trivially deny a ticket from the foreign
realm which purport to authenticate a client in the local realm.  So one
might be willing to trust a foreign realm to authenticate clients in all
non-local realms if one doesn't grant much privilege to any non-local
user anyway.)

> Would be acceptable then if I implement
> gss_set_cred_option(GSS_KRB5_CRED_NO_TRANSIT_CHECK_X) for
> MIT and Heimdal in order to let an application service to skip the check
> if they know what they're doing by checking trusting there KDC and doing
> the PAC verification.

I think we should first consider whether it would be sufficient for MIT
krb5 to suppress the rd_req transited check if the
TRANSITED-POLICY-CHECKED flag is set in the ticket.  MIT and Heimdal
KDCs both appear to perform the transited check and set the flag by default.

An application server always trusts its local KDC, but that trust isn't
useful for cross-realm relationships if the TRANSITED-POLICY-CHECKED
flag isn't in the ticket.  Clients can, in general, suppress the KDC
transited check with the DISABLE-TRANSITED-CHECK flag; therefore, a
ticket issued by the local KDC without the TRANSITED-POLICY-CHECKED flag
asserts nothing about the acceptability of the KDC path.

I am not sufficiently familiar with PACs to know whether PAC
verification is a fitting alternative to a transited policy check.

v2.23.0 | Report a Bug | By Email