Re: [Ietf-krb-wg] fast and patypes in KRB-ERROR
Sam Hartman <hartmans-ietf@mit.edu> Thu, 14 May 2009 23:44 UTC
Return-Path: <ietf-krb-wg-bounces@lists.anl.gov>
X-Original-To: ietfarch-krb-wg-archive@core3.amsl.com
Delivered-To: ietfarch-krb-wg-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 022373A7087 for <ietfarch-krb-wg-archive@core3.amsl.com>; Thu, 14 May 2009 16:44:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.445
X-Spam-Level:
X-Spam-Status: No, score=-2.445 tagged_above=-999 required=5 tests=[AWL=0.154, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GpoSSCiJ4aFH for <ietfarch-krb-wg-archive@core3.amsl.com>; Thu, 14 May 2009 16:44:50 -0700 (PDT)
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by core3.amsl.com (Postfix) with ESMTP id 631343A6AFE for <krb-wg-archive@lists.ietf.org>; Thu, 14 May 2009 16:44:50 -0700 (PDT)
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by localhost.ctd.anl.gov (Postfix) with ESMTP id C35083F; Thu, 14 May 2009 18:46:23 -0500 (CDT)
Received: from lists.anl.gov (katydid.it.anl.gov [146.137.96.32]) by mailhost.anl.gov (Postfix) with ESMTP id 3722432; Thu, 14 May 2009 18:46:19 -0500 (CDT)
Received: from katydid.it.anl.gov (localhost [127.0.0.1]) by lists.anl.gov (Postfix) with ESMTP id 1365E80DFF; Thu, 14 May 2009 18:46:19 -0500 (CDT)
X-Original-To: ietf-krb-wg@lists.anl.gov
Delivered-To: ietf-krb-wg@lists.anl.gov
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by lists.anl.gov (Postfix) with ESMTP id B390E80DF1 for <ietf-krb-wg@lists.anl.gov>; Thu, 14 May 2009 18:46:17 -0500 (CDT)
Received: by mailhost.anl.gov (Postfix) id A47EB12; Thu, 14 May 2009 18:46:17 -0500 (CDT)
Delivered-To: ietf-krb-wg@anl.gov
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by localhost.ctd.anl.gov (Postfix) with ESMTP id 9FC7E32 for <ietf-krb-wg@anl.gov>; Thu, 14 May 2009 18:46:17 -0500 (CDT)
Received: from mailrelay.anl.gov (mailrelay.anl.gov [130.202.101.22]) by mailhost.anl.gov (Postfix) with ESMTP id 9A29312 for <ietf-krb-wg@anl.gov>; Thu, 14 May 2009 18:46:17 -0500 (CDT)
Received: from localhost (localhost [127.0.0.1]) by localhost.it.anl.gov (Postfix) with ESMTP id 805FD7CC07C; Thu, 14 May 2009 18:46:17 -0500 (CDT)
Received: from mailrelay.anl.gov ([127.0.0.1]) by localhost (mailrelay.anl.gov [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 19083-03; Thu, 14 May 2009 18:46:17 -0500 (CDT)
Received: from mailgateway.anl.gov (mailgateway.anl.gov [130.202.101.28]) by mailrelay2.anl.gov (Postfix) with ESMTP id 603C47CC079 for <ietf-krb-wg@anl.gov>; Thu, 14 May 2009 18:46:17 -0500 (CDT)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: ApoEAFNKDEpFGcSy/2dsb2JhbADAOgWGfIhPglSBMAU
X-IronPort-AV: E=Sophos;i="4.41,197,1241413200"; d="scan'208";a="27039237"
Received: from carter-zimmerman.suchdamage.org ([69.25.196.178]) by mailgateway.anl.gov with ESMTP; 14 May 2009 18:46:17 -0500
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 76F1E4245; Thu, 14 May 2009 19:46:11 -0400 (EDT)
To: Srinivas Cheruku <Srinivas.Cheruku@CyberSafe.com>
References: <1A136DCE57F98F4B8BAB5FFC69C8E6DA21E59BDCD7@exchange.cybersafe.local>
From: Sam Hartman <hartmans-ietf@mit.edu>
Date: Thu, 14 May 2009 19:46:11 -0400
In-Reply-To: <1A136DCE57F98F4B8BAB5FFC69C8E6DA21E59BDCD7@exchange.cybersafe.local> (Srinivas Cheruku's message of "Thu\, 14 May 2009 13\:35\:53 +0100")
Message-ID: <tslskj7w8n0.fsf@mit.edu>
User-Agent: Gnus/5.11 (Gnus v5.11) Emacs/22.2 (gnu/linux)
MIME-Version: 1.0
X-Virus-Scanned: Debian amavisd-new at frigga.it.anl.gov
Cc: ietf-krb-wg@anl.gov, "krbdev@mit.edu" <krbdev@MIT.EDU>
Subject: Re: [Ietf-krb-wg] fast and patypes in KRB-ERROR
X-BeenThere: ietf-krb-wg@lists.anl.gov
X-Mailman-Version: 2.1.11
Precedence: list
List-Id: "This is a list for the IETF Kerberos Working Group. {WORLDPUB, EXTERNAL}" <ietf-krb-wg.lists.anl.gov>
List-Unsubscribe: <https://lists.anl.gov/mailman/options/ietf-krb-wg>, <mailto:ietf-krb-wg-request@lists.anl.gov?subject=unsubscribe>
List-Archive: <https://lists.anl.gov/pipermail/ietf-krb-wg>
List-Post: <mailto:ietf-krb-wg@lists.anl.gov>
List-Help: <mailto:ietf-krb-wg-request@lists.anl.gov?subject=help>
List-Subscribe: <https://lists.anl.gov/mailman/listinfo/ietf-krb-wg>, <mailto:ietf-krb-wg-request@lists.anl.gov?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: ietf-krb-wg-bounces@lists.anl.gov
Errors-To: ietf-krb-wg-bounces@lists.anl.gov
[I think these points need to be considered in a broader context than just the MIT implementation. I think I've included enough context.] >>>>> "Srinivas" == Srinivas Cheruku <Srinivas.Cheruku@CyberSafe.com> writes: Srinivas> 2. PA-FX-COOKIE (not sure why this is required ?? Srinivas> anyway, I think MIT uses some dummy cookie) Per discussion on the ietf-krb-wg list, a KDC confirming to the pre-auth framework should include a cookie whenever it wants to continue a conversation. This should becomes a must if FAST is being used. I *think* that's in the current draft, but it is definitely in my working copy. Larry and I had some internal slowness; I'll be publishing a new version quite shortly. Srinivas> I think it might be good to include Srinivas> PA-ENCRYPTED-CHALLENGE also when user principal requires Srinivas> pre-authentication. Srinivas> This would means that fast enabled kinit can do the Srinivas> following: Srinivas> 1. kinit can send a non-fast request to KDC Srinivas> 2. KDC replies with KRB-ERROR containing the above Srinivas> pa-types along with PA-ENCRYPTED-CHALLENGE (for user Srinivas> principals having pre-auth required set) Srinivas> 3. kinit can check for PA-FX-FAST and Srinivas> PA-ENCRYPTED-CHALLENGE and send a fast request Srinivas> containing pa-enc-challenge padata. Srinivas> 4. KDC sends tgt using FAST on successful Srinivas> authentication Srinivas> I know that MIT kinit doesn't support this behaviour but Srinivas> other vendors can support this. Any advice or issues Srinivas> you foresee? Probably this is more of an IETF issue than an MIT issue. My concern about doing this is that the negotiation of which fast factors are supported would be unprotected. Consider a client with the policy: * prefers fast with OTP, but will fall back to FAST with encrypted challenge. I think you have a relatively weak password, so it is in my interest to get you to fall back to encrypted challenge. I delete OTP from the initial unprotected error. _______________________________________________ ietf-krb-wg mailing list ietf-krb-wg@lists.anl.gov https://lists.anl.gov/mailman/listinfo/ietf-krb-wg
- Re: [Ietf-krb-wg] fast and patypes in KRB-ERROR Sam Hartman
- Re: [Ietf-krb-wg] fast and patypes in KRB-ERROR Srinivas Cheruku
- Re: [Ietf-krb-wg] fast and patypes in KRB-ERROR Srinivas Cheruku
- Re: [Ietf-krb-wg] fast and patypes in KRB-ERROR Sam Hartman