Rocksolid Light

Welcome to RetroBBS

mail  files  register  newsreader  groups  login

Message-ID:  

"All my life I wanted to be someone; I guess I should have been more specific." -- Jane Wagner

devel / comp.protocols.kerberos / Re: honoring the TRUSTED_FOR_DELEGATION KDC MS-SFU Kerberos Protocol Extensions flag?

SubjectAuthor
o Re: honoring the TRUSTED_FOR_DELEGATION KDC MS-SFU Kerberos Protocol Extensions Stephen Frost

1
Re: honoring the TRUSTED_FOR_DELEGATION KDC MS-SFU Kerberos Protocol Extensions flag?

<mailman.87.1713228060.2322.kerberos@mit.edu>

  copy mid

https://www.rocksolidbbs.com/devel/article-flat.php?id=539&group=comp.protocols.kerberos#539

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: sfrost@snowman.net (Stephen Frost)
Newsgroups: comp.protocols.kerberos
Subject: Re: honoring the TRUSTED_FOR_DELEGATION KDC MS-SFU Kerberos Protocol
Extensions flag?
Date: Mon, 15 Apr 2024 20:40:49 -0400
Organization: TNet Consulting
Lines: 66
Message-ID: <mailman.87.1713228060.2322.kerberos@mit.edu>
References: <CAEkxbZuz1h7Ef4N5nz3teb8vcTxTE6iBUZC+TYssUcayKHhXQQ@mail.gmail.com>
<202404152356.43FNu4Wj009470@hedwig.cmf.nrl.navy.mil>
<Zh3JEbB0IfDztgSQ@tamriel.snowman.net>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
protocol="application/pgp-signature"; boundary="B9sCEppJ1CQvzV++"
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="23795"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Mutt/2.1.4 (2021-12-11)
Cc: James Ralston <ralston@pobox.com>, kerberos@mit.edu
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
DKIM-Filter: OpenDKIM Filter v2.11.0 unknown-host (unknown-jobid)
Authentication-Results: mailman.mit.edu;
dkim=pass (1024-bit key, unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=l780BP88;
dkim=pass (1024-bit key,
unprotected) header.d=snowman.net header.i=@snowman.net header.a=rsa-sha256
header.s=dkim header.b=pnqcWRvt
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=km2iT4K+WtO6JUSU8xRyyoiImVsYWwxBAVJBpjdwxvKARTZJ87t63TSCLu95woTkpKzUIPob9mqqLALMDhIEfPt3kUSjOtitz7ayFYBHrlOdkm+ZCRSiS8/YjbJ2T2sLcqWrcvvEFQd7AbtcwH8Kjw2saUFla2AV5EEE+hSjj9cSxObQynP1Xwn7hV1ggUj49Ub0xRF7+Gm8ZMn1JBYfAAtBNMuEqzmTv2HiP1YKd5jkmj3dbIVBZvvGyOSgxVoMFYMVGSYBlKSPzPJ6gxFJFrLYPFsoxaprb9z4LYBtFBCfVbUQQvF8tNoUrim57ru5lz+F25q/sZngDaplX9G9RQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=rtCrWeFXWHthrHhnt1KJHWeDlH7e79LpKciS9KfNWuE=;
b=LCZp6mwrQucDSnajg3UE8ABasV9hYy3Oj4/jqto2cX5RyW+sEWrFTAwzF/IdTiCbJf4d33xji98Wbh+q4wyFCMoV4hSl2oQ3rLP2uIRKtX2mePzT0BJIfKhi+PQdojdvopi7gzoePmbcdqpvw+gtr8P8XPGJYr1KKA//zAN8LmcR+29oEKrfPmjpF6NyYUn/l8dLkPqfaAutfgg7sC5i2o2A0hYer3RzbTzIiAHVOwx1e3O4iUTxef2KUwA9f1ge8Tk3bESi1pYMtRxKliUn60F2w1DKPKZiN1lizPKW4DipnkW0TNJXF8hKfIk3Ze1NjsPezm5aH/V5b6f0TpoSTg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
70.109.60.50) smtp.rcpttodomain=mit.edu smtp.mailfrom=tamriel.snowman.net;
dmarc=pass (p=none sp=none pct=100) action=none header.from=snowman.net;
dkim=pass (signature was verified) header.d=snowman.net; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=rtCrWeFXWHthrHhnt1KJHWeDlH7e79LpKciS9KfNWuE=;
b=l780BP8840RfoyJgulnllnS1aQPGuL5P/ifnlj6D6LU5mJ42X+Cha6Mqopw1HOX1MF4OdCPxkojLizBB5R+I8uiFmFd804qc34yYqc2zxF35IJLC8pwHb6owkU76cWPANM51F3o4l8TF7QKaCfkyiItVR8zWE+TDmB9J2Qql0ic=
Authentication-Results: spf=pass (sender IP is 70.109.60.50)
smtp.mailfrom=tamriel.snowman.net; dkim=pass (signature was verified)
header.d=snowman.net;dmarc=pass action=none header.from=snowman.net;
Received-SPF: Pass (protection.outlook.com: domain of tamriel.snowman.net
designates 70.109.60.50 as permitted sender) receiver=protection.outlook.com;
client-ip=70.109.60.50; helo=tamriel.snowman.net; pr=C
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=snowman.net; s=dkim;
t=1713228049;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:cc:mime-version:mime-version:content-type:content-type:
in-reply-to:in-reply-to:references:references;
bh=rtCrWeFXWHthrHhnt1KJHWeDlH7e79LpKciS9KfNWuE=;
b=pnqcWRvtSL2VG/l6QjyjfPDhqcDm/k5s40DIWllRv4Z5yTOA6fFVhS3wSJ84QlWjjdtH0V
2tG5sOxAitVSp0YXF2U7ubwnRfl0xgLEggP42dguzdDvrmUieDnaQmAWXthQZybD+lFKXP
mnHvfFiUlOuX8MEyEj+Q2G3QCRctZls=
Content-Disposition: inline
In-Reply-To: <202404152356.43FNu4Wj009470@hedwig.cmf.nrl.navy.mil>
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: CH3PEPF0000000B:EE_|SA1PR01MB6797:EE_
X-MS-Office365-Filtering-Correlation-Id: 8557cc3f-e422-4c83-9455-08dc5daddf6c
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: ajC8uAM2EekjAJRwrt/Bnbe+IkTn/sfbFOxpOD5J+98USSSr9W8TUyh3YZJG4hKSg8hbKKi0pnfP8ZOIYLyVdA1gW5tbj1P7iKU0T5hWIAbOysrIinIiIh7mBqF+u+e9cq8uyOYADGPCr1TmVgDwygYVCZnGRFfznz24Qcw/Xws8ptRICczRmt5J2GlzOAs2NcD8UWq7R0PrWq/5kGd5Ly11Xtml2QEg3YjAwt6+787ORGNusILt+SIWlkM7fHGsSNixSkJSwWKlW6iBBaEMwcK2d9h7VAlgT3zD26IYL5FOLAA/UoINH+Y37N/qAzMgh8WxAIlzu5quLaLl2p4B+JOVueCp+W4TNT2yQjD32K/zoHTsGZcWoGDWkObg0VswBRoawD/U3+g2fvIK4HpO9iPiFwNf3kBQEQomiyh4wzKRBlx7F6Q9hSd5+jGNgXVX9fjHe6a8JrU0qHpnNzxYI/NDJpKmas64GYTiUtDQg1ZnIucraQlN6x6/woXOjUuhuYkoWRpAp60t9n8uML7MFDjZkSOsIZZaksAGYQRruhZbxgqtZ1JGvmJnma9KH8jtFkmam22izfn3rO3xcPczitPcuoQmazXnDycRZpNAof3ZYsBIPAcxYOAmE8LpEzfsrZ6TSiv//L3iDNVodkt7913XQieYDrD1j3JiJ/zq+inlDZ6CK7DvOH40Mo24Lw2cpoQwioVGh9oBAQsHWTuaxF32itnpVzUnByjtghgetlj/RoyFt7LaEOF44klwzArr3yyS8o1zeLkowZTO6UJ+0A==
X-Forefront-Antispam-Report: CIP:70.109.60.50; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:tamriel.snowman.net; PTR:tamriel.snowman.net; CAT:NONE;
SFS:(13230031)(376005)(61400799018)(48200799009)(14776008)(75936004); DIR:OUT;
SFP:1102;
X-ExternalRecipientOutboundConnectors: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-OriginatorOrg: mitprod.onmicrosoft.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 16 Apr 2024 00:40:53.8146 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 8557cc3f-e422-4c83-9455-08dc5daddf6c
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: CH3PEPF0000000B.namprd04.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA1PR01MB6797
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <Zh3JEbB0IfDztgSQ@tamriel.snowman.net>
X-Mailman-Original-References: <CAEkxbZuz1h7Ef4N5nz3teb8vcTxTE6iBUZC+TYssUcayKHhXQQ@mail.gmail.com>
<202404152356.43FNu4Wj009470@hedwig.cmf.nrl.navy.mil>
 by: Stephen Frost - Tue, 16 Apr 2024 00:40 UTC
Attachments: signature.asc (application/pgp-signature)

Greetings,

* Ken Hornstein via Kerberos (kerberos@mit.edu) wrote:
> >Has anyone else struggled with ssh clients being unable to delegate
> >As far as we can tell, for reasons we still have been unable to
> >fathom, Microsoft decided that simply permitting credential delegation
> >based on whether the TGT has the forwardable flag set was
> >insufficient. Instead, Microsoft implemented a new flag in the MS-SFU
> >Kerberos Protocol Extensions, TRUSTED_FOR_DELEGATION. The flag is a
> >property of the service principal of the *target* host: if the target
> >host does not have the TRUSTED_FOR_DELEGATION flag set in the
> >userAccountControl attribute of the host’s machine account in Active
> >Directory, then if the Kerberos library that the ssh client uses
> >honors the MS-SFU Kerberos Protocol Extensions and honors the
> >TRUSTED_FOR_DELEGATION flag, it will refuse to delegate the user’s
> >credentials to the target host, *even* if all other settings would
> >permit credential delegation.
>
> I'm a LITTLE confused as to what you're describing here. As I
> understand you, the TRUSTED_FOR_DELEGATION flag doesn't appear on the
> wire and only in the account properties. What, exactly, is there for a
> client implementation to honor or not honor? If you're talking about
> the OK-AS-DELEGATE flag in the Kerberos ticket, MIT Kerberos does
> implement that flag (but ... the library already provides an option
> to ignore that flag and it seems that by default it DOES ignore that
> flag). It seems like some versions of Heimdal also will ignore the
> OK-AS-DELEGATE flag by default and you can configure Heimdal to respect
> that flag but I am unclear what the OS X Heimdal does. Calling that a
> Microsoft extension is incorrect, though, as that appears in RFC 4120.
> As for the thinking behind this flaga, well, the RFC provides what I
> would consider a cognizant explanation:
>
> https://datatracker.ietf.org/doc/html/rfc4120#section-2.8
>
> If you're talking about something else, I would be curious as to what
> you mean. I didn't think ssh could utilize any of the S4U stuff
> but it's always possible that could have changed.

Before delving too deeply here ... frankly, I'd *strongly* encourage you
to ignore what OSX comes with in terms of Kerberos "support" and push to
move everything away from what OSX ships with and to instead use MIT
Kerberos. In my experience, this is far from the only issue you're
going to run into with the hacked up Kerberos from OSX and they don't
seem to care to properly maintain it.

Thanks,

Stephen

Attachments: signature.asc (application/pgp-signature)
1
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor