Rocksolid Light

Welcome to RetroBBS

mail  files  register  newsreader  groups  login

Message-ID:  

"Jesus may love you, but I think you're garbage wrapped in skin." -- Michael O'Donohugh

devel / comp.protocols.kerberos / Re: RFC 4121 & acceptor subkey use in MIC token generation

SubjectAuthor
o Re: RFC 4121 & acceptor subkey use in MIC token generationKen Hornstein

1
Re: RFC 4121 & acceptor subkey use in MIC token generation

<mailman.29.1698354648.2263420.kerberos@mit.edu>

  copy mid

https://www.rocksolidbbs.com/devel/article-flat.php?id=405&group=comp.protocols.kerberos#405

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: kenh@cmf.nrl.navy.mil (Ken Hornstein)
Newsgroups: comp.protocols.kerberos
Subject: Re: RFC 4121 & acceptor subkey use in MIC token generation
Date: Thu, 26 Oct 2023 17:10:39 -0400
Organization: TNet Consulting
Lines: 55
Message-ID: <mailman.29.1698354648.2263420.kerberos@mit.edu>
References: <3db2752e-565e-1f64-b354-9031a2fe9334@mit.edu>
<ZTiT0ub2uv5A/b4E@ubby21>
<202310251251.39PCpTqc026799@hedwig.cmf.nrl.navy.mil>
<ZTk62q0DIAZmW0eL@ubby21>
<CALF+FNwtDrQ0d+a=zsXyiYq6rhOiXXkqoxUnscwum0Q0wchLJQ@mail.gmail.com>
<202310261741.39QHfgIl030099@hedwig.cmf.nrl.navy.mil>
<ZTqtQYPlzdpQGyr+@ubby21>
<202310261827.39QIRu4Q000307@hedwig.cmf.nrl.navy.mil>
<ZTqw9+Etcwo8SqR4@ubby21>
<202310261838.39QIcl16000930@hedwig.cmf.nrl.navy.mil>
<ZTrAlh0a/+Vq5P4f@ubby21>
<202310262110.39QLAdhW010116@hedwig.cmf.nrl.navy.mil>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="20197"; mail-complaints-to="newsmaster@tnetconsulting.net"
To: kerberos@mit.edu
DKIM-Filter: OpenDKIM Filter v2.11.0 unknown-host (unknown-jobid)
Authentication-Results: mailman.mit.edu;
dkim=pass (1024-bit key, unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=sklcdpHT;
dkim=pass (2048-bit key,
unprotected) header.d=nrl.navy.mil header.i=@nrl.navy.mil header.a=rsa-sha256
header.s=s2.dkim header.b=FSFunOrd
Authentication-Results: mit.edu; dmarc=pass (p=reject dis=none)
header.from=cmf.nrl.navy.mil
Authentication-Results: mit.edu; arc=pass smtp.remote-ip=18.7.73.15
ARC-Seal: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1698354647; cv=pass;
b=iPJV4QwC9/syG54LDRfoJI+hBODI5MZVAjHB2g5dZ9gFIPFTqjLYNTwnUgUFFasiFWkcDB7puFiI8WZzGhS+ngizeY+Gj2swG23j/uzSwHQD28ixoPUCDvsfShWbQIFGYSMsWObCRfuk7DUaU6tYc84iH+dELV6CNkeuiIJy0sIHfxr3z6JMdGOIQeytGuAVOLY/IK28UYMyFsxp8FaWv83RzhMUiBSjzgLJrG84NJmr5bopHh+vdgTLb1qTSdYxzrg0FDzhagv0bRJ15f2YthZ3YIPWPTtpYiHNVmu/o+29dEt52U4U9yMZXzt6LunZgKMnOxv6MQ8PkFjkiXBTCQ==
ARC-Message-Signature: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1698354647;
c=relaxed/relaxed; bh=baxcEIqt51sT7vcU6B4zVKwfWMidbs2w0ER4qXKIbU0=;
h=Message-ID:From:Subject:MIME-Version:Content-Type:Date;
b=MPgHKl1OVXOqGke3S5XSiDcZwpmNpU0QK6GQUJU3a85SuRJ5/y8P+fBaMGPsYBc6zajbtOZYDz8YJ2r586YPlbvUahHXoYWQ7qzIVo/ysfujKEan7KTK+I/Vp9RUXKP6f6gtQY4E8JAl5xobpgSbYdRi0sPKxtU29mChtFiksDNSZ/f3PfNtLdxBZbYKK0YRxxRlHzkfYM4Q9fCpvJguEdPg8FWahmbdCdrvLKqgId4xSTOJ8hmHi1C/N4jwyyPQFKFS5K/AZ/RGHTAEzOyvNVXWWtCvV3NYuSGPQaMmZZZXPJqGKDkNj6iySlFBeJfhskpy2fzzCKdaygeUxGFwYA==
ARC-Authentication-Results: i=2; mit.edu; dkim=pass (1024-bit key;
unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=sklcdpHT;
dkim=pass (2048-bit key;
unprotected) header.d=nrl.navy.mil header.i=@nrl.navy.mil header.a=rsa-sha256
header.s=s2.dkim header.b=FSFunOrd
Authentication-Results: mit.edu; dkim=pass (1024-bit key;
unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=sklcdpHT;
dkim=pass (2048-bit key;
unprotected) header.d=nrl.navy.mil header.i=@nrl.navy.mil header.a=rsa-sha256
header.s=s2.dkim header.b=FSFunOrd
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=Sj0LPNMw9g6UMLn5uuJ2k+H1PBpGbOmIcEStfJgcZc1u8YlmEP3Bg2MHJdkE0nvSQNcQTO3MyUY0m/sk8pn0QACh9E7cXal4O5HvuI9Od/ol1rjKUeVniuNKQzfpJGrwpVRPLvB/nlwJfwyhQYgts26GweZhhMB9Sj9gbXjCa0pDIcHMFnBw/xbxmlEqOxPFi08MvW5cYBKbFuiKoz/4ukounyo1DpSNIsNlOYLSlPJWYTnAp++WjBwzH44kx0ixWiVnW0CRCosW5oB8u0kEcGBcWLazGnBZKtz2mdv55wo2RY068ndnJoEY2fB+1nhgbXCViQyC9QhS0FwURuSStA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=baxcEIqt51sT7vcU6B4zVKwfWMidbs2w0ER4qXKIbU0=;
b=XOYASAevUzWnpbQIre/ggWj9u9AYPlzWXmkg2x5r2UdGk0/WvCWbtns81k/jyLLB40eZiah1zuJduGFTqtgSr7vuZgxSsHRDriU4NZv8GwTtlrxPai1B5gv0PnqpBPbVZg9apYFuPkM7oeaYJ5ehgAvat4Bpe8fPdudoTRwvVpWFt877vACLyjQMj+uPRMJsFTpdTPuWjoewRDpkpjPY48UFb3Bj/cvo5WxpciK9kgiUzu69XuRrUAW5eYQVJ50O4IZYghcungpA+wCW0c+6v1Nk0LVriztO8ntTC/ExxeJE9GG2HJljQ3pHwCvidb8jnjL6Ygs3ZDtWlTx/JNiLZg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
140.32.61.234) smtp.rcpttodomain=mit.edu smtp.mailfrom=cmf.nrl.navy.mil;
dmarc=pass (p=reject sp=reject pct=100) action=none
header.from=cmf.nrl.navy.mil; dkim=pass (signature was verified)
header.d=nrl.navy.mil; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=baxcEIqt51sT7vcU6B4zVKwfWMidbs2w0ER4qXKIbU0=;
b=sklcdpHTHezS6AO0mAlAa4Q/gqk62LkiLuqsrF2rOc6DFbQDn2/gTJYYco227TdsHaqtoWIMC8z0IQvvgwLmfykz1Jq5Um2nxNbId7mVXG+vub6yAp/1Dn1CkB0uubreE/dE7tlF2aaBtH6iLP85Zq0qeJk7szTwRT37quiWi5k=
Authentication-Results: spf=pass (sender IP is 140.32.61.234)
smtp.mailfrom=cmf.nrl.navy.mil; dkim=pass (signature was verified)
header.d=nrl.navy.mil;dmarc=pass action=none header.from=cmf.nrl.navy.mil;
Received-SPF: Pass (protection.outlook.com: domain of cmf.nrl.navy.mil
designates 140.32.61.234 as permitted sender)
receiver=protection.outlook.com; client-ip=140.32.61.234; helo=mf.dren.mil;
pr=C
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nrl.navy.mil;
h=message-id : from :
to : subject : in-reply-to : references : mime-version : content-type :
date; s=s2.dkim; bh=baxcEIqt51sT7vcU6B4zVKwfWMidbs2w0ER4qXKIbU0=;
b=FSFunOrdyMa6IjCP55x3FLNV8FlWzC8kXuQXuxlpZFRKEzdB1hDIZjJM1a3tdRjKGfyd
Ai9o1c5/O0IQzJwCA2asd1W4jZFYcSDk0IVxgNg57DbqJYefYwZTh26B0UgKOpmGefQ8
he2YtcF1zyn6tgRtwxeNS4EWf/QNqmR9jO14Y0Owfg7QYOQF/NK862qhD/zyWdWkQbQh
jj8QuCqt72K7Hx9rFoJCKx2WVk1UlM2Qqd3t1L7yytzid/52h9RW8tgXCpSGYju3kFOr
DOfp1bC/v/KN50qDDY816yoWm2sBgxlbyPO9NXe+NLQOhaIBKIDbQZw1vDqTbkKZwjWD 4A==
In-Reply-To: <ZTrAlh0a/+Vq5P4f@ubby21>
X-Face: "Evs"_GpJ]],xS)b$T2#V&{KfP_i2`TlPrY$Iv9+TQ!6+`~+l)#7I)0xr1>4hfd{#0B4
WIn3jU;bql;{2Uq%zw5bF4?%F&&j8@KaT?#vBGk}u07<+6/`.F-3_GA@6Bq5gN9\+s;_d
gD\SW #]iN_U0 KUmOR.P<|um5yP<ea#^"SJK;C*}fMI;Mv(aiO2z~9n.w?@\>kEpSD@*e`
X-NRLCMF-Spam-Score: () hits=0 User Authenticated
X-NRLCMF-Virus-Scanned:
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: SN1PEPF000252A3:EE_|SJ0PR01MB7265:EE_
X-MS-Office365-Filtering-Correlation-Id: 0dbdc09f-912b-46e7-490b-08dbd668033f
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 9JzJ4V6OuAbm2epiEEDzghGf0Dgwo2XwuHS1DzAfSiE1rmG0kEJpBq23W/rHndWgzRyAYil0V0ZP1dZRzhK5fzrT/GIMVvaIyzMdcR1f0nD24+nRsRQIEkHZahNSJ2TFfkSOaGY2eYXwfdzIPzkDCCKMVhIHNL4NohDofSkDUOuDoEBMBmu7Zsf+kvVNg6Cw4xOtSA3NUsXotLXCEktaGci6vOTKPJ1ti9De+5nCYfTKi7hsYroDiuR5jBMXCn3G9Bd7qvPcd0ng6UgZIu8UYTxxHSS7PCQtqQdHtaiTaAg7SBWoavqqvm4lAGN19EhOoGEnX51a77OBGKwgZSjuhAo2/qWJwqUbou1oYhMP2a2poVWAAKX6AcZ2IFMgy2vfdustl17in7+0Zax2dwumAc/fDNt8B0SgYE9Xglk//FjDT9U0C/+M9rt76bTrJT0oZsz0LyVaxjShOWpsI9w1Hi0SVZ7aQTFMaOmwbWDJpnXvle5xzmXWsElW2+WgEHzQX7KBpvlVpA5e8WlvhjUy2+PfvcVsJgtuPlpxPrFEzFehPst3yZQN6fYNnoEwLO61lzw3k7TseRzX8sei6u6kcJ3GvV3kZw97wQyfU6PiAAt2lQJrl/myit6AzRvvMBkAd1ifJShDHF2rJ8MLREO/NAJJM797ERW4Hkg3Ok4Ir8t3hiOKUZcZ4lhlyhZkIJo+56SM8N32gAFVgmX+tEVJiw==
X-Forefront-Antispam-Report: CIP:140.32.61.234; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:mf.dren.mil; PTR:mfw.dren.mil; CAT:NONE;
SFS:(13230031)(4636009)(396003)(39860400002)(346002)(376002)(136003)(64100799003)(61400799006)(48200799006)(451199024)(426003)(7636003)(356005)(1076003)(956004)(336012)(26005)(68406010)(786003)(70586007)(86362001)(316002)(498600001)(83380400001)(34206002)(8676002)(2906002)(66899024)(5660300002);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 Oct 2023 21:10:42.0447 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 0dbdc09f-912b-46e7-490b-08dbd668033f
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: SN1PEPF000252A3.namprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ0PR01MB7265
X-OriginatorOrg: mitprod.onmicrosoft.com
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <202310262110.39QLAdhW010116@hedwig.cmf.nrl.navy.mil>
X-Mailman-Original-References: <3db2752e-565e-1f64-b354-9031a2fe9334@mit.edu>
<ZTiT0ub2uv5A/b4E@ubby21>
<202310251251.39PCpTqc026799@hedwig.cmf.nrl.navy.mil>
<ZTk62q0DIAZmW0eL@ubby21>
<CALF+FNwtDrQ0d+a=zsXyiYq6rhOiXXkqoxUnscwum0Q0wchLJQ@mail.gmail.com>
<202310261741.39QHfgIl030099@hedwig.cmf.nrl.navy.mil>
<ZTqtQYPlzdpQGyr+@ubby21>
<202310261827.39QIRu4Q000307@hedwig.cmf.nrl.navy.mil>
<ZTqw9+Etcwo8SqR4@ubby21>
<202310261838.39QIcl16000930@hedwig.cmf.nrl.navy.mil>
<ZTrAlh0a/+Vq5P4f@ubby21>
 by: Ken Hornstein - Thu, 26 Oct 2023 21:10 UTC

>So what can you do? Well, you could build an online kerberized CA that
>vends short-lived OpenSSH-style certificates, then use that for SSH.
>
>Perhaps you'll find that easier to do than to send a PR for hard-coding
>mechanism OID->name mappings, and even if not, you may find it better
>for the long term anyways because it's fewer patches to maintain.

Unfortunately, ANOTHER one of the "fun" rules I live under is, "Thou
shall have no other PKI than the DoD PKI". And as much as I can
legitimately argue for many of the unusual things that I do, I can't get
away with that one; we have to personally certify on all of our server
systems that we only accept DoD issued certificates. The available DoD
certificate profiles are EXTREMELY limited and there's exactly zero
chance of me getting our own CA under the DoD PKI. So I am aware of
kx509 and the like, but I can't use them. Well, I technically COULD set
it up, I just couldn't trust a kx509 CA on any of our own systems so
the utility would be limited.

>Though credential delegation becomes hairy since all you can do then is
>ssh-agent forwarding, and if you need Kerberos credentials on the target
>end well, you won't get them unless you build yet another bridge where
>you have your online kerberized CA vend certificates for use with PKINIT
>so that you can kinit w/ PKINIT using a private key accessed over the
>forwarded ssh-agent.

We _do_ do PKINIT with the DoD PKI today; that is relatively
straightforward with the exception of dealing with certificate
revocation (last time I checked the total size of the DOD CRL package
was approximately 8 million serial numbers, sigh).

>I'm a big proponent of authentication protocol bridging. I've written
>an online kerberized CA in Heimdal, though that one doesn't [yet] vend
>OpenSSH-style certificates. One site I'm familiar with has a kerberized
>JWT, OIDC, and PKIX certificate issuer, and they support PKINIT, so they
>can and do bridge all the tokens and all the Kerberos realms and all the
>PKIX and soon OpenSSH CAs.

We KIND do bridging, but it's at a higher level; since almost everyone
we deal with has an issued PKI client certificate on a smartcard we tend
to support a bunch of ways of working with that. So you can use your
client certificate do a bunch of things like get a Kerberos ticket,
but we can't turn a Kerberos ticket into a DOD PKI client certificate.
There is an DoD program called "Purebred" to get DERIVED client PKI
credentials on things like iOS devices but that again has a very small
box it is designed to fit in and I doubt that the people who run it
would understand what I was asking, much less make it so I could put
those credentials in a kx509 server. Sigh.

>Therefore I have no problem with you not using SSHv2 GSS-KEYEX.

I mean, it seems like gssapi-with-mic is relatively widely supported
and works (with the previously-discussed exception of the broken-assed
Tenable client and Heimdal servers).

--Ken

1
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor