Rocksolid Light

Welcome to RetroBBS

mail  files  register  newsreader  groups  login

Message-ID:  

I'll say it again for the logic impaired. -- Larry Wall

devel / comp.protocols.kerberos / Re: Query regarding S4U2Self protocol extension

SubjectAuthor
o Re: Query regarding S4U2Self protocol extensionIsaac Boukris

1
Re: Query regarding S4U2Self protocol extension

<mailman.1.1627470411.14813.kerberos@mit.edu>

  copy mid

https://www.rocksolidbbs.com/devel/article-flat.php?id=117&group=comp.protocols.kerberos#117

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!.POSTED.pch.mit.edu!not-for-mail
From: iboukris@gmail.com (Isaac Boukris)
Newsgroups: comp.protocols.kerberos
Subject: Re: Query regarding S4U2Self protocol extension
Date: Wed, 28 Jul 2021 14:06:00 +0300
Organization: TNet Consulting
Lines: 15
Message-ID: <mailman.1.1627470411.14813.kerberos@mit.edu>
References: <CAMeQEL8+JGoqgh-j62duJBMLLoOKVPEZRWbC4mxLtdB-3ggwtw@mail.gmail.com>
<42a3d4b0-3461-5342-bf83-83475f3a0473@mit.edu>
<CAMeQEL_sJojTFJA0XWHNoVjPV-=_yGSMD7LpegF2QHR+PVC0Dg@mail.gmail.com>
<CAC-fF8S7PSPdFuVT31zEgkyiQ2WPyESRzY28FSOxSXh7=01rYw@mail.gmail.com>
<CAMeQEL9Wj1Wen2z6+xC2F9na7dn79MGrH9ARzzigsZj3kst1kA@mail.gmail.com>
<CAC-fF8RhhW2hUm28K4fXMbp-y4_ykkeZQyQFJvQn+AZa__zrBQ@mail.gmail.com>
<CAMeQEL_f7M0AiQoK3feZCFKPytZ93tMX6L7-KvupXr=8yVcEEA@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="pch.mit.edu:18.7.21.50";
logging-data="26397"; mail-complaints-to="newsmaster@tnetconsulting.net"
Cc: kerberos <kerberos@mit.edu>
To: Vipul Mehta <vipulmehta.1989@gmail.com>
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=mdoVElK7b4azkrTXC0HIqrbFkrSoEadyWuOoDXIcqI5HuUloHeURfvSow1iQhUXGNdF6Yl9q6SZE8/zQkH5U8hoaCckIdqNdtmdmnqgZIQnZIYAIo6EPrSPPH2Qrj+HnxpI7Uj8JsRCmeU1UFxUhHtffh7J/+Kevf38elVy+7wMsiCyphc2+csMiCAZ086c2g2BdG8dvanvw0LE1k9bX3L/Jtt/sua3LHTpDsgAa2EtlkJSWF6ajwP67IBDxQgSZxvnyqFUbSfIdPiLPfmB9hLZIfTXxchWfJUbGctlSIM6WqkDyAM/kFphMFj2Pb/vpQ1x3HkhDZAOnSf032C9OKA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=uI7wDMdwEB1paEeNZvm0Q4lQxlfN+HAQCZJvjFH4HL4=;
b=Igxxj8Fw9gJjcVT/MInsz+HxSpDY7mlM+G49sCY7KkpKc+wn4g5PQIpM4P0+N92YAu1/LRpPbtldzkSl+34Ua8e9vDbQEWtqaP72JWO9UjBVZp4ncUeZXaKxhr6/mGm0rJMFP8ZAu4X5tc3U496PV4NPDXIHn2yFdRtyczLDKnGT0t6DwTWEyaQ7/HKUMoBDG/d1M6VcRqBUVU6yol/QDd5luPsLa/Q/0BQaYZB7BWmbfnawDNzzwkymnFD0kDC9EmpWjXwRXmtpLgDD24KkpOWy1vipn8erfyNkWf2+3kPv/pKess832Qdqo6lbmvaLBRDoSSpeps6Cx/mK0USz8w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none;
dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=uI7wDMdwEB1paEeNZvm0Q4lQxlfN+HAQCZJvjFH4HL4=;
b=c43lJekS8cDWWv3YY1OOQOJuarg97coMQU9QbvZI68V8XAWMNM/03sAvxOO0HA38MtD7LMgP9R0+ZdIdrqYXfqNThcF7cDGKe4AUXAjkgo3J+7oVZJfBoOI42BLY/bFT/dT/Quq8x6nNwiBtEQqNkmaN3sayX8uCoiTpPgCtSGU=
Authentication-Results: spf=pass (sender IP is 209.85.219.49)
smtp.mailfrom=gmail.com; mit.edu; dkim=pass (signature was verified)
header.d=gmail.com; mit.edu;
dmarc=pass action=none header.from=gmail.com;
Received-SPF: Pass (protection.outlook.com: domain of gmail.com designates
209.85.219.49 as permitted sender) receiver=protection.outlook.com;
client-ip=209.85.219.49; helo=mail-qv1-f49.google.com;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
h=mime-version:references:in-reply-to:from:date:message-id:subject:to
:cc:content-transfer-encoding;
bh=uI7wDMdwEB1paEeNZvm0Q4lQxlfN+HAQCZJvjFH4HL4=;
b=jFzDRoCQyr2cNpAfsaRO9+MUAFz7rSiZWAPMf5nHbe02KIo3CWp6K+xTaO4pD2dZsM
vj2Rjr/Yv49thO3hnKqSCF8sckIYWseHwjx2hCIUWiLl5cOm11UHsTdP4QiOR4Qj7wbP
piX3fYV493X/TgNMT+oDGZYKCgLXBeSx3bFbKyfSCG0IzwyYF12S21h9wVDLRGibfnHS
Crp7G30aU+LpTHM+OfyFg3XO8F9T0dQ8x8s71L3UO1Anu1PA0MuhweJqkxBx7F/EvIsa
Yf6xRwi5tLqIVWTy++wIALWunjd4atg8S2gpe47kx5apR7EwSup6qtUafix3kPipJy9D
NKqA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:references:in-reply-to:from:date
:message-id:subject:to:cc:content-transfer-encoding;
bh=uI7wDMdwEB1paEeNZvm0Q4lQxlfN+HAQCZJvjFH4HL4=;
b=Oir25aLtkyItbrZyLuAd8p0HAzhvQNUK18ghrARhP3vUsno4sv9Di81U87MON63jgd
52+53+N7aYLN0UoegGPLV6CglQm0ArfMDcUwjvRKzHRVkmXPLJM5WRnogNuelMRMzHu7
n5vhYFINj3EAFJoGtX0C23JrtlBIdrel01x1onoyim6f63RvmQRoJS4pDc5zmh1nKfix
TeLrLRHS8T7XEQL/HLCHEiTJ1Kt+dHY7QrjmEr9AXexEV7lcPzY0DC55UWlJ37LmmY+M
XI3IDOvb996+5LmDvOLNRV5hkfEU4k+rL8lnq8I1zDMvyBGHQTAfKUToW2jfyCplzK6Y
Omww==
X-Gm-Message-State: AOAM5331VrvPDY+EJYMd3hAEifUlQtiBL1L3npdrLcA9b9tpVC3KGiRZ
dVXZ7KZXSoH0ATDAHP3iH8azx5wLX4EkIpLZAWM=
X-Google-Smtp-Source: ABdhPJxsxqLJfaM+Vq3Y2BeWuZ2tJxw4XTZvK3kDhoW4Q+cSYJ8rjccpuJyx9y3T5W9J/JSh++yDtnhM9scISb5+cXE=
X-Received: by 2002:ad4:536a:: with SMTP id e10mr27682967qvv.9.1627470371859;
Wed, 28 Jul 2021 04:06:11 -0700 (PDT)
In-Reply-To: <CAMeQEL_f7M0AiQoK3feZCFKPytZ93tMX6L7-KvupXr=8yVcEEA@mail.gmail.com>
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 0e7e2230-0f01-42f1-b075-08d951b7b63e
X-MS-TrafficTypeDiagnostic: BN6PR0101MB2931:
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-Transport-Forked: True
X-Microsoft-Antispam-PRVS: <BN6PR0101MB29313AE94C5E2BE4EA1B6BCAC9EA9@BN6PR0101MB2931.prod.exchangelabs.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:9508;
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: TYWwUbtmdHhvrkB5ojn6owKEKFm9KajMTvVBmoAGWUksgSej9biyLJv0472YLJ9EydEl0CZeuylP/RMq68X+g2NlYmKH5JCC1Z+Nnt+X67ze+NyK3nZ4r1b/mM34S7gEjwEdkTfvpYRthsHDq+hEKZFQNNHBh7tqDALJlsL3+0ZYzItdIOXJHw4m83lrsuxcIVvG5sfyIk1qKu3NZvHXlGMN1oLGq6o6vNY5NKl2i36S7xNeTpynIszzpLpWd9YXQe4+z0Z1MuI8RBlUe+2Y52ubIluWAgFL/5A+OvrlgzvcRx1FkPCHM3cZYOznjW+o2k77Fqa7y45OIqqTu/6dwxWvjVZyg8MX6l3PkJCuL9WwHZetlZpfdJN41l/eXm/ospdR0KT8MWJMlC7khxqU0loI0pl1iaH319hGq17it0A7XzAoB/Y7UGc2xHUq5IlIDsX8S6Un7iRct0wHNvhUbK84DpNHvRBrqrKneucrcFxLPQ4+ghsqwyXZtW/o/ipz0MLJl9pO15yIAF44Nw9i49NlRiF2Vfa3BExv9LHewquz1iY2bxi9zE3ACgbzYQPLbEWRQLOwvQm8LvkwoHzjfduCUiJvf7tayYWesHAx+c03mUrEsRvsUDzbFz4IzLqs9EzzMlWnAWTP7yLg4C54TA1oTGY2CPPqQshQiYcyPakvA8sFotGSUhEhqNISQ4nluA4//rnzms09Qx4UDN7bXpqV1KFTwoMRRgG4uhAZv9I=
X-Forefront-Antispam-Report: CIP:209.85.219.49; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:mail-qv1-f49.google.com;
PTR:mail-qv1-f49.google.com; CAT:NONE;
SFS:(4636009)(73392003)(2906002)(54906003)(4326008)(316002)(86362001)(76482006)(336012)(6636002)(6666004)(42186006)(786003)(5660300002)(8676002)(356005)(966005)(53546011)(508600001)(83380400001)(68406010)(70586007)(82202003)(7636003)(26005)(4744005)(6862004)(55446002)(7596003);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 Jul 2021 11:06:12.8032 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 0e7e2230-0f01-42f1-b075-08d951b7b63e
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: CO1NAM11FT057.eop-nam11.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR0101MB2931
X-OriginatorOrg: mitprod.onmicrosoft.com
X-MIME-Autoconverted: from quoted-printable to 8bit by PCH.mit.edu id
16SB6nTo023400
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
 by: Isaac Boukris - Wed, 28 Jul 2021 11:06 UTC

On Wed, Jul 28, 2021 at 1:46 PM Vipul Mehta <vipulmehta.1989@gmail.com> wrote:
>
> Now we know that behavior is unified and S4U2Self ticket should be forwardable to avoid vulnerability, i think we can add a check in MIT Kerberos API itself such that before sending S4U2Proxy TGS-REQ to KDC, if ticket is not forwardable it will fail in client itself.
>
> I can see that JDK has this check:
> https://github.com/openjdk/jdk/blob/739769c8fc4b496f08a92225a12d07414537b6c0/src/java.security.jgss/share/classes/sun/security/krb5/internal/CredentialsUtil.java -> line 105

MIT used to have that as well before RBCD was added, although I don't
think this was ever necessary, as that check should be done in the
KDC. Also disabling NonForwardableDelegation can be a valid usage when
relying on SIDs and not using protected-group, as in the original RBCD
design:

https://github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/security/kerberos/kerberos-constrained-delegation-overview.md

devel / comp.protocols.kerberos / Re: Query regarding S4U2Self protocol extension

1
server_pubkey.txt

rocksolid light 0.9.81
clearnet tor