Rocksolid Light

Welcome to RetroBBS

mail  files  register  newsreader  groups  login

Message-ID:  

"Spock, did you see the looks on their faces?" "Yes, Captain, a sort of vacant contentment."

devel / comp.protocols.kerberos / Re: RFC 4121 & acceptor subkey use in MIC token generation

SubjectAuthor
o Re: RFC 4121 & acceptor subkey use in MIC token generationNico Williams

1
Re: RFC 4121 & acceptor subkey use in MIC token generation

<mailman.26.1698351779.2263420.kerberos@mit.edu>

  copy mid

https://www.rocksolidbbs.com/devel/article-flat.php?id=402&group=comp.protocols.kerberos#402

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: nico@cryptonector.com (Nico Williams)
Newsgroups: comp.protocols.kerberos
Subject: Re: RFC 4121 & acceptor subkey use in MIC token generation
Date: Thu, 26 Oct 2023 15:22:17 -0500
Organization: TNet Consulting
Lines: 59
Message-ID: <mailman.26.1698351779.2263420.kerberos@mit.edu>
References: <202310251251.39PCpTqc026799@hedwig.cmf.nrl.navy.mil>
<ZTk62q0DIAZmW0eL@ubby21>
<CALF+FNwtDrQ0d+a=zsXyiYq6rhOiXXkqoxUnscwum0Q0wchLJQ@mail.gmail.com>
<202310261741.39QHfgIl030099@hedwig.cmf.nrl.navy.mil>
<ZTqtQYPlzdpQGyr+@ubby21>
<202310261827.39QIRu4Q000307@hedwig.cmf.nrl.navy.mil>
<ZTqw9+Etcwo8SqR4@ubby21>
<202310261838.39QIcl16000930@hedwig.cmf.nrl.navy.mil>
<ZTrAlh0a/+Vq5P4f@ubby21>
<CALF+FNxK2mrQFg_bKnBHoZFxg9B4pKRzzV9NqP1+rm0LbWLbAQ@mail.gmail.com>
<ZTrKeZTsJOoxSkxe@ubby21>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="11143"; mail-complaints-to="newsmaster@tnetconsulting.net"
Cc: Ken Hornstein <kenh@cmf.nrl.navy.mil>, kerberos@mit.edu
To: Jeffrey Hutzelman <jhutz@cmu.edu>
DKIM-Filter: OpenDKIM Filter v2.11.0 unknown-host (unknown-jobid)
Authentication-Results: mailman.mit.edu;
dkim=pass (1024-bit key, unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=kacSILWz;
dkim=pass (2048-bit key,
unprotected) header.d=cryptonector.com header.i=@cryptonector.com
header.a=rsa-sha256 header.s=dreamhost header.b=SOPR64FL
Authentication-Results: mit.edu; dmarc=none (p=none dis=none)
header.from=cryptonector.com
Authentication-Results: mit.edu; arc=pass smtp.remote-ip=18.7.73.15
ARC-Seal: i=4; a=rsa-sha256; d=mit.edu; s=arc; t=1698351777; cv=pass;
b=oC/A0MRnF1Mg2tESsMD/hTkuDNvf5QasUnnER7KxVij874gQ7Xas+F41VfsJNgstSXoVWwj7DtjnEpB8IxMM/xpwBTfKJlMsnaHKmaQXtbvgZRW7WjS0NRtBzgnqUNrpCyqGsuu/fmghlEfut76JtPphIMi+CfU3Rn4btsYvnkwD19Bs9MMkakEXy2A6O94OCCs22LH9CDj2jgN9+SBoYn+e3XFpF/kVca/9EBr4PcNl34nSCkvG+tUM/BZZwV7lhmFz4HwxWuMabRxx3eExTYUCTE4vm/LpQpWRusZLhNz20YInKe73pcENrmkzG6nnEl+hQHQTFXp36A5kNQ/tyA==
ARC-Message-Signature: i=4; a=rsa-sha256; d=mit.edu; s=arc; t=1698351777;
c=relaxed/relaxed; bh=GhHum4T6u7fjaqjZ2wXf8VgbnbU3iyaFTnjzNU/mYl0=;
h=Date:From:Subject:Message-ID:MIME-Version:Content-Type;
b=nPw0EmKxMQg/5qjyLUG+HKVTR/ZdGxKr7bb5dU6xjkG6WkO3AlX4WNj3/0H2JCQ1V0jsJAKwSJr6jCWGp3lwPmTs2v6AXMsmIeZwbhKL7Z46iAa2aXjKiwfkiQblCB8L1qzQVaVU5RFfCQjeZddcXtACqSXlHo60GXCgPP94OHOG1lF1aQ3CocUEumGVWj780mOTvQBl/QAXOgaPMR6/JS139s6NrFWo/46l4IJ7lFyzTfWsK/N1TG89k6iw+Bs+7t1YvKhq9dRymFuule7MVHK6eqNbGqo5XNb30xyJX1XWzOYLQ6OGMX2Zz/6nFjE/Ydl45XeCUFqmoZZlkd5tfg==
ARC-Authentication-Results: i=4; mit.edu; dkim=pass (1024-bit key;
unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=kacSILWz;
dkim=pass (2048-bit key;
unprotected) header.d=cryptonector.com header.i=@cryptonector.com
header.a=rsa-sha256 header.s=dreamhost header.b=SOPR64FL
Authentication-Results: mit.edu; dkim=pass (1024-bit key;
unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=kacSILWz;
dkim=pass (2048-bit key;
unprotected) header.d=cryptonector.com header.i=@cryptonector.com
header.a=rsa-sha256 header.s=dreamhost header.b=SOPR64FL
ARC-Seal: i=3; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=pass;
b=oaip+V+TpY6YACNl/znNVrdtBjMc36EsdXNBMtk/wKTZ20Qe4DVSDSoVJ3F61MaGxfEDQ3L88J6ng2/s/rb6L1vNpmRJ6a0qTIRTydF7GkvgMf9oNrTeLhJ1kvPNjWtHEgticUMvekGVqoHnHfesFrtklJ3CVHmj4GpthBY1qVy3KMCR3APmE02OG5UY2NiwxrYZCoyGCuqB+KZde8LmNZCI6BALiQ1aF83MjHjHLgqpX+F+ccNa0rlKixyWaqVJp0rZ8878sh8aEwC4gTVKP5HztqKAKVEDrLXxWdAvy3papAycnSI/44UnbqxVQ8PdXj8t/MJEvzbZATAA4oWtWQ==
ARC-Message-Signature: i=3; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=GhHum4T6u7fjaqjZ2wXf8VgbnbU3iyaFTnjzNU/mYl0=;
b=L6pYhzUzuX26vuX3f0igSDLfb7MoiOtWK8oSWEDJ9VC0Z6Ge8iW5GWO93OT2wsj6RPsA7J/0PcXdCjzqKlXZHjd9SsNQusEy3ING5hJJ6u86/G/mVfobfapNQI96J1wO2/5joKpqQ3mqQr6U9knh3i6/K+C/WLkp917XgHMQNcKPa1PYvDfVMYPAAjhyR1v6F1VfzD2zwxIi1nv0+IspiTyLCTJmxyL6Cjd0lJH0rwdAmnrKoRwoVoUoEmXK9a6EIdAp09eAmFWE7VJ5YxYY3ewCvibESs0+C44On8+P9qdlrLiFau/z1TnkLScvQFaTSY58dJue7Y1NZapntdoVAg==
ARC-Authentication-Results: i=3; mx.microsoft.com 1; spf=pass (sender ip is
23.83.209.151) smtp.rcpttodomain=mit.edu smtp.mailfrom=cryptonector.com;
dmarc=bestguesspass action=none header.from=cryptonector.com; dkim=pass
(signature was verified) header.d=cryptonector.com; arc=pass (0 oda=0 ltdi=0
93)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=GhHum4T6u7fjaqjZ2wXf8VgbnbU3iyaFTnjzNU/mYl0=;
b=kacSILWz7cPwHDV6PtJ72zobXlAIESgXDirSrD3JYIghbQgByd/g6X49Yh4SgcuWhyWIwg6qGrU/QIW3LBzo9ge1khNqOlKtwvKV25VEe3kzaPoSVeFH46ZLxhXdwo04tVfp8v1auMHf/jgwW7Gpqikiffj1DMgGKXZmyI0f9Pg=
ARC-Seal: i=2; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=pass;
b=Yyp4gqBau2vdBSTzIy7BKwGU3OEYE7czIOvnR9tZFDeBVtXFJYzwP36sVUzaAWAUEiaUvDCRsym2mWDCJ3rFRDXOJQNjEtNL74Q6VQFmNpI5oFXMwZUYRCmLAwWT23xL/WrnXg5ucWA5HJNxfmEgOxU/qHnnlC3JrG0qO0Se81F/JOJxgFni0S+1qeMZxeSDXu7C6HbifAshZVBX2HsH4N9XQskF7MdA5RCpaUcZ1T3TEfgDNMQZpqH5FGf1Foc83fApKPTZvQDWn7XP5S8Bi6NKrKEh79uWXD3Ia7YCeORQexwpMivgn7emZj7avxR2J6QMD/UZ50u3zFSNZ4a2GQ==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=GhHum4T6u7fjaqjZ2wXf8VgbnbU3iyaFTnjzNU/mYl0=;
b=kYolpLvpnCkdeaswVRb/O/NksJu0kdx9l5kJQPw9aAzLDlpqF96Om5J8FraCNgMRIdfFMrBg20hpwLdfoSWfLZCCeu19gWjh2mu/7VhNW5gTRE/16cO22ThzaoBpJ+0p4w2V0EbgADg46oCUHtQP5o5HHYHAWIbOxbKNpk8Uepadt38Wd99o0mhq5gr2FEpGNSCn6PkdICzKphH788d4xm/VV6swY9Y0AoPyaIFV4NXNMk1/0jFtJFDDIoP5sjS1mXNBA8iO+qp7JIjTgpbO2/1QJbwpvThkox3nO1qt8ANhR/5eYw369t0jprxkIoVUj4+MY4YvC4STD8H+BOzwfQ==
ARC-Authentication-Results: i=2; mx.microsoft.com 1; spf=pass (sender ip is
23.83.209.151) smtp.rcpttodomain=mit.edu smtp.mailfrom=cryptonector.com;
dmarc=bestguesspass action=none header.from=cryptonector.com; dkim=pass
(signature was verified) header.d=cryptonector.com; arc=pass (0 oda=0 ltdi=0
93)
Authentication-Results: spf=pass (sender IP is 23.83.209.151)
smtp.mailfrom=cryptonector.com; dkim=pass (signature was verified)
header.d=cryptonector.com;dmarc=bestguesspass action=none
header.from=cryptonector.com;
Received-SPF: Pass (protection.outlook.com: domain of cryptonector.com
designates 23.83.209.151 as permitted sender)
receiver=protection.outlook.com; client-ip=23.83.209.151;
helo=quail.birch.relay.mailchannels.net; pr=C
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1698351740; a=rsa-sha256;
cv=none;
b=YRoz6BdSbXAZoJ1avW2rdo8FXsjB/R1pygCJX8Qx1GxD2j74nj20vUKBSwtn2COr/vSRLZ
JHCmI+WO/XpofKJMWcMzz0ScVIE3k/HShbBeF9Qv/D5g/A7sk+lO/bmws2/sH1Ulul8wOj
toA5rb1DNgqj5uzjhkCzX+cSBRd/17splt7yV2zqPST+5OZFy+KZX8ETXKmms7RzR5ONrZ
8z0CpnLkY8f68HeeFyhxgDpOPr5I6dNmbzZIMVNBo6kN6OnL+EEgU/uirWPv8KM6A3rrC6
pK9asj1//5++p7HXHq4NyGc4Pf9rBBPXaAs9q4eijRkA6uaJpFqhN2jMr5LDog==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
d=mailchannels.net; s=arc-2022; t=1698351740;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:cc:mime-version:mime-version:content-type:content-type:
content-transfer-encoding:content-transfer-encoding:
in-reply-to:in-reply-to:references:references:dkim-signature;
bh=GhHum4T6u7fjaqjZ2wXf8VgbnbU3iyaFTnjzNU/mYl0=;
b=4sL7+v1osASRI2kXiGhE5XtLQhw1gCedQ4CYtHZYOfNz91LHxWs6MEISNhaXDJm8HTo0ps
ympV75uOmQVyrujJ12Az2uJaVok+xz4gbb7rECNQhHEBF5qRHqCKPb4NPr2S7DSc0YfDKL
GG8M7wpNsmxytaKB5krHtINTJ+WMSIyCwXeoL7TYHPbnagK2tZaK5RhlYVEW94Cb0le+PE
RGAR4x+hvNv6I0GS2cUCw3kOoaHnn0u4bQfpUIoUWARHh2lpSu9Itl9tioe5+zIg67AaRQ
Wf4+ecAbyiqOX8ypU2wuu1Tyx02o/eTU1CyP25U4sC4sk+uBkjhI5edEux/5Ig==
ARC-Authentication-Results: i=1; rspamd-79d8cddc67-wpvqd;
auth=pass smtp.auth=dreamhost smtp.mailfrom=nico@cryptonector.com
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Descriptive-Wide-Eyed: 6222224343369139_1698351740266_3239384242
X-MC-Loop-Signature: 1698351740266:409222059
X-MC-Ingress-Time: 1698351740265
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cryptonector.com;
s=dreamhost; t=1698351739;
bh=GhHum4T6u7fjaqjZ2wXf8VgbnbU3iyaFTnjzNU/mYl0=;
h=Date:From:To:Cc:Subject:Content-Type:Content-Transfer-Encoding;
b=SOPR64FLPjnGB7qR820PiN8iyPZBhF40hQMuifxRR10J5F2xH8GwGJc61Ux18Sdcf
zHLDQZUUbsIfhfLHdEkRmRaWj33nl29Fl4PZGG51pY6lSMlTURzI5G1XYnRXt6adQg
SH+nlGAIGCvJ/BibfkrBeaq5A7xD5hlQVJ9KqC96yR3qlrDquCU7eZ9g4SbJa6WGiB
12ShOsAbJ0MHlXaNl2VSb4m4GK/mN7HIqIHWvAi0wcvH13KT4/nMOP7F57/Cx272vb
ZmuDumRYrw14yDqtfIFh7+TcrbWDuza8nSN9r883avcMnoznIPfWntApU6YuTP7iA+
Vx8CJtrGYMC/w==
Content-Disposition: inline
In-Reply-To: <CALF+FNxK2mrQFg_bKnBHoZFxg9B4pKRzzV9NqP1+rm0LbWLbAQ@mail.gmail.com>
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: DS2PEPF0000343A:EE_|CO1PR01MB6773:EE_
X-MS-Office365-Filtering-Correlation-Id: dac74422-1a6b-424b-76bc-08dbd661425a
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: VJiyw1BAP9qqxonzktdD2RWyvC2WnxeafHc/lvHRc7VcfrjUfCDjCAnVOpItOo3O3XbOG64CfpgVBvxXQ4YuqvtSmypzXsiwO9RYlvxwZ5EpBQPW/uBNm05eV5XqcSvsYCzX0jnOiYoY2QhHYnZBSyrtkXa22UBgPLdVObSk/B/9xxHWWS4fpibo5ZD8ykEWxY32JPPgEURnrHbo2DIEpUXfpMwIgtK+ZNvoppbnOtOCKhaJB9OvOzY8ZPlPii0y0dF5WQ6Bf/31MJQIEdPXbhYdDNITK8RiGDo+kgtN2zzxxfmIf2RUMbewjM2knYIZ5S777HXuQstDNWQzZM+rzWuwk4Z0wGEsg7OUdoWMKFxOvv44DtUBzvCUajQijvekfxo/7JLxrHWGy6M5xBs+eOFVFxZrA+G8cT0zjSUhfUnQLkzESTjMOEtdh+JWq5iPctlTtQlmge+QlpLW+0WQJJ3yTTbRucKmE0OjGZkpEqgiY1uJkVK3RTQYRx+1FpkhGtCkEUzWDZ2iz4IVzNiuW87Bw+mXeUhq4W70hYm+ZGEEgvwVQEpt138rK/R8atNWMGYJHeYUPlSbMUL8PUkGBMr0zn5IvWNZt0MZI0yNszKyRIEEjZ3Qz9YTaCIebclnKkCcrHenI488XYSVMt54CjrgYg2M2weCtblwZ7RGEkRKwmvvYRNlRWcYiW/+MPu5/glIA/K04SvaDY6VtZbjfw==
X-Forefront-Antispam-Report: CIP:23.83.209.151; CTRY:CA; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:quail.birch.relay.mailchannels.net;
PTR:quail.birch.relay.mailchannels.net; CAT:NONE;
SFS:(13230031)(4636009)(346002)(396003)(376002)(39860400002)(136003)(64100799003)(48200799006)(61400799006)(451199024)(956004)(26005)(7596003)(9686003)(8676002)(5660300002)(53546011)(6862004)(4326008)(9576002)(356005)(7636003)(68406010)(70586007)(2906002)(786003)(316002)(86362001)(66899024)(336012)(55016003)(33716001)(6266002)(83380400001)(498600001);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 Oct 2023 20:22:21.2547 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: dac74422-1a6b-424b-76bc-08dbd661425a
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: DS2PEPF0000343A.namprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO1PR01MB6773
X-OriginatorOrg: mitprod.onmicrosoft.com
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <ZTrKeZTsJOoxSkxe@ubby21>
X-Mailman-Original-References: <202310251251.39PCpTqc026799@hedwig.cmf.nrl.navy.mil>
<ZTk62q0DIAZmW0eL@ubby21>
<CALF+FNwtDrQ0d+a=zsXyiYq6rhOiXXkqoxUnscwum0Q0wchLJQ@mail.gmail.com>
<202310261741.39QHfgIl030099@hedwig.cmf.nrl.navy.mil>
<ZTqtQYPlzdpQGyr+@ubby21>
<202310261827.39QIRu4Q000307@hedwig.cmf.nrl.navy.mil>
<ZTqw9+Etcwo8SqR4@ubby21>
<202310261838.39QIcl16000930@hedwig.cmf.nrl.navy.mil>
<ZTrAlh0a/+Vq5P4f@ubby21>
<CALF+FNxK2mrQFg_bKnBHoZFxg9B4pKRzzV9NqP1+rm0LbWLbAQ@mail.gmail.com>
 by: Nico Williams - Thu, 26 Oct 2023 20:22 UTC

On Thu, Oct 26, 2023 at 03:58:57PM -0400, Jeffrey Hutzelman wrote:
> On Thu, Oct 26, 2023 at 3:41 PM Nico Williams <nico@cryptonector.com> wrote:
> > So what can you do? Well, you could build an online kerberized CA that
> > vends short-lived OpenSSH-style certificates, then use that for SSH.
>
> OpenSSH apparently does not support X.509 certificates because they believe
> there is too much complexity. This is roughly the same problem we had with
> getting GSS support into OpenSSH -- they are afraid of security technology
> they didn't invent.

For GSS-KEYEX they have a point: that the CNAME chasing behavior of
Kerberos libraries is problematic. That said there is a simple fix:
use `gss_inquire_context()` to check that the name you got for the
target is the name you asked for, and else either disable credentials
forwarding and try again or refuse to use GSS-KEYEX.

OpenSSH-style certificates have several serious problems resulting from
NIH syndrome:

- no certificate chaining, which therefore implies frequent updates of
sshd_config and ssh_config files

- authorization data is not encoded as an array of strings or blobs but
as one string that uses commas to separate elements (!!) (!!!!)

- it's all too specific to OpenSSH

- there's no tooling to deal with short-lived user certificates on
the client side

There are some good things about OpenSSH-style certificates, but the
above problems are serious missed opportunities.

> This is truly unfortunate, because we already have an onlike Kerberized CA
> that vends short-lived X.509 certificates

There's almost certainly lots of them.

> > Though credential delegation becomes hairy since all you can do then is
> > ssh-agent forwarding, and if you need Kerberos credentials on the target
> > end well, you won't get them unless you build yet another bridge where
> > you have your online kerberized CA vend certificates for use with PKINIT
> > so that you can kinit w/ PKINIT using a private key accessed over the
> > forwarded ssh-agent.
>
> The problem with this, of course, is that one must be careful not to permit
> credentials to be renewed indefinitely by simply having the KDC and KCA
> repeatedly issue new credentials. Fortunately, kx509 is careful not to
> issue certificates valid past the ticket lifetime, and I believe compliant
> PKINIT implementations don't issue tickets valid past the certificate "Not
> After" time.

Yes, it's absolutely essential to ensure that each credential issued is
limited in lifetime to the credential used to authenticate to the
bridge. At least for client credentials. It's not hard to get this
right, and it's not hard to test either.

Nico
--

1
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor