Rocksolid Light

Welcome to RetroBBS

mail  files  register  newsreader  groups  login

Message-ID:  

To be awake is to be alive. -- Henry David Thoreau, in "Walden"

devel / comp.protocols.kerberos / Re: heimdal http proxy

SubjectAuthor
o Re: heimdal http proxyRick van Rein

1
Re: heimdal http proxy

<mailman.1.1631384605.13452.kerberos@mit.edu>

  copy mid

https://www.rocksolidbbs.com/devel/article-flat.php?id=127&group=comp.protocols.kerberos#127

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!.POSTED.pch.mit.edu!not-for-mail
From: rick@openfortress.nl (Rick van Rein)
Newsgroups: comp.protocols.kerberos
Subject: Re: heimdal http proxy
Date: Sat, 11 Sep 2021 18:22:48 +0000
Organization: TNet Consulting
Lines: 32
Message-ID: <mailman.1.1631384605.13452.kerberos@mit.edu>
References: <87sfyq9qtg.fsf@hope.eyrie.org>
<58C9CD4B-C68A-4480-BFD8-29DC38D8C22A@cs.rutgers.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="pch.mit.edu:18.7.21.50";
logging-data="28515"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Mutt/1.5.20 (2009-06-14)
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
To: Charles Hedrick <hedrick@rutgers.edu>
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=esNkrJLZmVOfb7iT/8HvcQNjAyDMnroTA+pBI3wGgclDLewp1CrDjB5kFT4DsQDG+4SFeIIu67dFU5iZZxgYRr8QYaWeCy9dTWucbZJ2eDi4iG6htPZ18tkN6ykrHet9do/xzXu0JNVaSYuPTFm9FVz3JhZPatmdOCf9mK8WHoWqXN2Xi7obNGO0tuCfrhLUOQDVUgfuXCKPaTzpSAzWVW98ilarhMQ6Bf/q6ERh3W3yAd72Ed6nWz6Z1xshPIAeI0TMjgbb4yQjZqUkfbuoCE1nRsrvt8PtkKFbw2xZhsnz9Oqx+nioUc2+jiewsIansJcMifE1lSQVL3irdX3Yyg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version;
bh=Q+l/QLsjOYZOaMBqrqXvDF6jfJfhwkdq4fYzpmc1Wno=;
b=TJtLdEGmLhQ17/moPMhHPjSNtpJlHvMRZP5giFxU8qYtdBydlZELke4VFLeVs1slF50fxQfRB2kcNSqxRpGKy2uIzCPidaBe6eF2z3jwDg4KmhrQVMj2jBpIyUU69Dy+HaHqsfB+1+JFhRXSWI3eyMqkqS6oc+r879uTvE6SjaW1ez8ydLLh/67puMVo9mkslRLIPVkK+hAzgiCln+mdf/lLtX1ImM7OF2i67QMqymunsCbXjmuc7iCaB9oFG6UyjrORg6Dx2Dp3m2sgFHcf/HOgNGPsg2NUtiT0n/uEHWqSAvEitc6IWwlhHZKLW+R5udd0uKIoJ7it8dOCL3DbVg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none;
dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=Q+l/QLsjOYZOaMBqrqXvDF6jfJfhwkdq4fYzpmc1Wno=;
b=nWp0Y4LTR/Q8KcAiA1RUsyiNPo57NWL9887s3Jq7eZsR/tNeOgYJ1mo6+Va6TshFsdBhrSrrNVjkKzescxGOBsJejOo6HocQpn+KQmHN0mfLRrZNVk5jTXCcm05UyOSaZn/eezSXkdxf6stN+cSSgA6WZGsW89j2x10XkI27uzI=
Authentication-Results: spf=temperror (sender IP is 194.109.24.31)
smtp.mailfrom=vanrein.org; mit.edu; dkim=none (message not signed)
header.d=none; mit.edu;
dmarc=fail action=none header.from=openfortress.nl;
Received-SPF: TempError (protection.outlook.com: error in processing during
lookup of vanrein.org: DNS Timeout)
Content-Disposition: inline
In-Reply-To: <58C9CD4B-C68A-4480-BFD8-29DC38D8C22A@cs.rutgers.edu>
X-CMAE-Envelope: MS4xfHi6vZ8gQsTBF8RcHoyTPjuDx/4opS5x5/GkppGIL8ZqZEYhTCSNTqsZXfXV3kuSQyEn+LDs3HW6ReMWfcMPR2L5U1J4QG47BeFCtolWXP+0ATZkbprx
foDEMNE7VV8iQj74MOrLpdCRTTXPXTxWY5VObo03QfHruAjEzXSEUorPnodT/3VIXO+hOKp70cRtOLZiHtYuJmwB4mN6OBicEqCQaohfXDxujN1hrXkEbNqq
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 1dd4f4a4-f9ee-4601-cfae-08d975512a40
X-MS-TrafficTypeDiagnostic: SN6PR0102MB3549:
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-Microsoft-Antispam-PRVS: <SN6PR0102MB354948BE6BD05A79EFD20325AED79@SN6PR0102MB3549.prod.exchangelabs.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:10000;
X-MS-Exchange-SenderADCheck: 2
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: NviQul7HPusDKykQ0SV9bvMNdrHY87qkaXx+YTKKvUSiUE2+t2XQh1Cz5TLhea/W8pMuQnBDM7xAozIuXZWrCZKSbFI5p7QgnOX1rQE9+/7hXINBssCcVRDzI7E8U25q1vO3YQAxnKInJi6aFDKlrzLuwley0hUkNqEFYGFV754pf9vCP/XOR19oTPwbX416jrLyPtw2ano1ukCBGYqTmGUZSap0PvjVsXSRrirZWzf3xnpaq16uf2dkU0WYBcIMtZCDBA3MpzfxyMi9JOuX7jmm68Fj+bazrHw1O8tP9Kg2usSMfWijzuqPRuyorOXN0dPwsIlk1BCA96uMSksNsWIiWWb7qBN0aF/oUWMMuG3ohV7L3WAyTtIFGli2LQTbssudG5/ZgrUm4eAjJkL+FeE1qMvMHh5Tn/3I7lbkWCn+ME/HBgOEP8hdWF16FNHAYMyJIx8ozCdvuW6JHmraVqveLfLmpLVsCSlEwZJKwzL5LlnYXFslvRV9RPmti5FQl8PNO+iOdfBEiY70AuCnp5cTvEvwf9V1gsj2Vi3s6GiPaVu3coHmGk5wwJYrHNGgqHHD8fMIRwCq9ReDVyaapSxf0gW1ELc/glYZUuupgB6jNYOsi+3miFVIDp75E5UGmN0l5dsCh8YweQgSm4DvgfG5vFNf/QK7I7EAdwd/pwpAMshfX2iBoJZ730OrdQNL
X-Forefront-Antispam-Report: CIP:194.109.24.31; CTRY:NL; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:lb3-smtp-cloud7.xs4all.net;
PTR:lb3-smtp-cloud7.xs4all.net; CAT:NONE;
SFS:(4636009)(8676002)(36756003)(5660300002)(6862004)(26005)(6266002)(316002)(70586007)(3480700007)(42186006)(68406010)(2616005)(63350400001)(7636003)(7596003)(356005)(1076003)(42882007)(336012)(7116003)(2906002)(83380400001)(83170400001)(508600001)(966005)(4326008)(33656002);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-Transport-Forked: True
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 11 Sep 2021 18:22:50.8738 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 1dd4f4a4-f9ee-4601-cfae-08d975512a40
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: BN8NAM11FT063.eop-nam11.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR0102MB3549
X-OriginatorOrg: mitprod.onmicrosoft.com
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
 by: Rick van Rein - Sat, 11 Sep 2021 18:22 UTC

Hello Charles,

> I???d like to be able to use Kerberos SPNEGO at home. Unfortunately the Mac uses Heimdal.

SPNEGO has really a low security level. I am surprised this is considered
acceptable for a https proxy.

We are working on two better solutions, with software that classifies only
little over "proof of concept'.

- TLS-KDH to integrate Kerberos authentication with ECDH encryption;
this combination is in fact Quantum Proof

https://datatracker.ietf.org/doc/html/draft-vanrein-tls-kdh

- HTTP-SASL integrates SASL as a HTTP authentication mechanism, and this
is meant to allow Kerberos as well. In contrast with SPNEGO, it would
be possible to require Channel Binding (at least to the webserver _name_).

https://datatracker.ietf.org/doc/html/draft-vanrein-httpauth-sasl

Take note: These have not even been proposed on this list, simply due to
lack of time to actively discuss it (been mostly occupied with this and
related implementations). So at best this could be a future opportunity.
Still, your usecase may help to propell the work forward, so please share
if this would be helpful for your situation. You may want to pass this
by your sysadmin too.

Cheers,
-Rick

devel / comp.protocols.kerberos / Re: heimdal http proxy

1
server_pubkey.txt

rocksolid light 0.9.81
clearnet tor