You are viewing a plain text version of this content. The canonical link for it is here.
Posted to kerby@directory.apache.org by Colm O hEigeartaigh <co...@apache.org> on 2017/06/20 11:39:58 UTC
Anonymous PKINIT support
Hi all,
As per the recent email on JWT, I'd like to look at the outstanding issues
surrounding anonymous PKINIT support in Kerby.
a) Last year I raised concerns about the KDC not signing the response:
https://www.mail-archive.com/kerby@directory.apache.org/msg00808.html
Currently, we don't use the private key at all in the KDC when it is
configured as part of KdcConfigKey.PKINIT_IDENTITY. The spec says that:
https://tools.ietf.org/html/rfc6112
"If the KDC's signature is missing in the KDC reply
(the reply is anonymous), the client MUST reject the returned ticket
if it cannot authenticate the KDC otherwise."
I don't really see how the client can authenticate the KDC as things stand,
so I think we need to sign the KDC response and enforce a signature on the
client side.
b) From the MIT page:
"If you need to enable anonymity support for TGTs (for use as FAST armor
tickets) without enabling anonymous authentication to application servers,
you can set the variable restrict_anonymous_to_tgt to true in the
appropriate [realms] subsection of the KDC’s kdc.conf file."
Is this supported by Kerby? I'm guessing not, but we should add support for
it.
c) Is there a way to differentiate between anonymous + authenticated PKINIT
in the KDC configuration? What if you don't want to allow the anonymous
case?
Colm.
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Anonymous PKINIT support
Posted by Colm O hEigeartaigh <co...@apache.org>.
I added a "tutorials" section to the website with two tutorials I wrote for
Kerby:
http://directory.apache.org/kerby/tutorials.html
On Wed, Sep 13, 2017 at 7:20 AM, Zheng, Kai <ka...@intel.com> wrote:
> Thanks Colm for the sharing and telling the story!!
>
> The blog looks pretty informative. I thought we should list or mention it
> somewhere in our Directory/Kerby projects.
>
> Regards,
> Kai
>
> -----Original Message-----
> From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> Sent: Monday, September 11, 2017 7:30 PM
> To: Zheng, Kai <ka...@intel.com>
> Cc: kerby@directory.apache.org
> Subject: Re: Anonymous PKINIT support
>
> OK thanks! I wrote up the "access token" case as part of a blog post in
> the context of a kerberized JAX-RS web service request using Apache CXF:
>
> http://coheigea.blogspot.ie/2017/09/integrating-json-web-tokens-with.html
>
> Colm.
>
> On Sat, Sep 9, 2017 at 5:50 AM, Zheng, Kai <ka...@intel.com> wrote:
>
> > Thanks Colm for the take. I'll try to bring up the context in my mind
> > and give you some comments later.
> >
> > Regards,
> > Kai
> >
> > -----Original Message-----
> > From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> > Sent: Friday, September 08, 2017 10:38 PM
> > To: kerby@directory.apache.org
> > Subject: Re: Anonymous PKINIT support
> >
> > Now that I've finished the JWT access token work, it'd be nice to
> > finish the Anonymous PKINIT side of things to get the Identity token
> > part of it to work. Please review my questions below.
> >
> > Colm.
> >
> > On Tue, Jun 20, 2017 at 12:39 PM, Colm O hEigeartaigh
> > <coheigea@apache.org
> > >
> > wrote:
> >
> > > Hi all,
> > >
> > > As per the recent email on JWT, I'd like to look at the outstanding
> > > issues surrounding anonymous PKINIT support in Kerby.
> > >
> > > a) Last year I raised concerns about the KDC not signing the response:
> > >
> > > https://www.mail-archive.com/kerby@directory.apache.org/msg00808.htm
> > > l
> > >
> > > Currently, we don't use the private key at all in the KDC when it is
> > > configured as part of KdcConfigKey.PKINIT_IDENTITY. The spec says that:
> > >
> > > https://tools.ietf.org/html/rfc6112
> > >
> > > "If the KDC's signature is missing in the KDC reply
> > > (the reply is anonymous), the client MUST reject the returned ticket
> > > if it cannot authenticate the KDC otherwise."
> > >
> > > I don't really see how the client can authenticate the KDC as things
> > > stand, so I think we need to sign the KDC response and enforce a
> > > signature on the client side.
> > >
> > > b) From the MIT page:
> > >
> > > "If you need to enable anonymity support for TGTs (for use as FAST
> > > armor
> > > tickets) without enabling anonymous authentication to application
> > > servers, you can set the variable restrict_anonymous_to_tgt to true
> > > in the appropriate [realms] subsection of the KDC’s kdc.conf file."
> > >
> > > Is this supported by Kerby? I'm guessing not, but we should add
> > > support for it.
> > >
> > > c) Is there a way to differentiate between anonymous + authenticated
> > > PKINIT in the KDC configuration? What if you don't want to allow the
> > > anonymous case?
> > >
> > > Colm.
> > >
> > >
> > >
> > > --
> > > Colm O hEigeartaigh
> > >
> > > Talend Community Coder
> > > http://coders.talend.com
> > >
> >
> >
> >
> > --
> > Colm O hEigeartaigh
> >
> > Talend Community Coder
> > http://coders.talend.com
> >
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
RE: Anonymous PKINIT support
Posted by "Zheng, Kai" <ka...@intel.com>.
Thanks Colm for the sharing and telling the story!!
The blog looks pretty informative. I thought we should list or mention it somewhere in our Directory/Kerby projects.
Regards,
Kai
-----Original Message-----
From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
Sent: Monday, September 11, 2017 7:30 PM
To: Zheng, Kai <ka...@intel.com>
Cc: kerby@directory.apache.org
Subject: Re: Anonymous PKINIT support
OK thanks! I wrote up the "access token" case as part of a blog post in the context of a kerberized JAX-RS web service request using Apache CXF:
http://coheigea.blogspot.ie/2017/09/integrating-json-web-tokens-with.html
Colm.
On Sat, Sep 9, 2017 at 5:50 AM, Zheng, Kai <ka...@intel.com> wrote:
> Thanks Colm for the take. I'll try to bring up the context in my mind
> and give you some comments later.
>
> Regards,
> Kai
>
> -----Original Message-----
> From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> Sent: Friday, September 08, 2017 10:38 PM
> To: kerby@directory.apache.org
> Subject: Re: Anonymous PKINIT support
>
> Now that I've finished the JWT access token work, it'd be nice to
> finish the Anonymous PKINIT side of things to get the Identity token
> part of it to work. Please review my questions below.
>
> Colm.
>
> On Tue, Jun 20, 2017 at 12:39 PM, Colm O hEigeartaigh
> <coheigea@apache.org
> >
> wrote:
>
> > Hi all,
> >
> > As per the recent email on JWT, I'd like to look at the outstanding
> > issues surrounding anonymous PKINIT support in Kerby.
> >
> > a) Last year I raised concerns about the KDC not signing the response:
> >
> > https://www.mail-archive.com/kerby@directory.apache.org/msg00808.htm
> > l
> >
> > Currently, we don't use the private key at all in the KDC when it is
> > configured as part of KdcConfigKey.PKINIT_IDENTITY. The spec says that:
> >
> > https://tools.ietf.org/html/rfc6112
> >
> > "If the KDC's signature is missing in the KDC reply
> > (the reply is anonymous), the client MUST reject the returned ticket
> > if it cannot authenticate the KDC otherwise."
> >
> > I don't really see how the client can authenticate the KDC as things
> > stand, so I think we need to sign the KDC response and enforce a
> > signature on the client side.
> >
> > b) From the MIT page:
> >
> > "If you need to enable anonymity support for TGTs (for use as FAST
> > armor
> > tickets) without enabling anonymous authentication to application
> > servers, you can set the variable restrict_anonymous_to_tgt to true
> > in the appropriate [realms] subsection of the KDC’s kdc.conf file."
> >
> > Is this supported by Kerby? I'm guessing not, but we should add
> > support for it.
> >
> > c) Is there a way to differentiate between anonymous + authenticated
> > PKINIT in the KDC configuration? What if you don't want to allow the
> > anonymous case?
> >
> > Colm.
> >
> >
> >
> > --
> > Colm O hEigeartaigh
> >
> > Talend Community Coder
> > http://coders.talend.com
> >
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Anonymous PKINIT support
Posted by Colm O hEigeartaigh <co...@apache.org>.
OK thanks! I wrote up the "access token" case as part of a blog post in the
context of a kerberized JAX-RS web service request using Apache CXF:
http://coheigea.blogspot.ie/2017/09/integrating-json-web-tokens-with.html
Colm.
On Sat, Sep 9, 2017 at 5:50 AM, Zheng, Kai <ka...@intel.com> wrote:
> Thanks Colm for the take. I'll try to bring up the context in my mind and
> give you some comments later.
>
> Regards,
> Kai
>
> -----Original Message-----
> From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> Sent: Friday, September 08, 2017 10:38 PM
> To: kerby@directory.apache.org
> Subject: Re: Anonymous PKINIT support
>
> Now that I've finished the JWT access token work, it'd be nice to finish
> the Anonymous PKINIT side of things to get the Identity token part of it to
> work. Please review my questions below.
>
> Colm.
>
> On Tue, Jun 20, 2017 at 12:39 PM, Colm O hEigeartaigh <coheigea@apache.org
> >
> wrote:
>
> > Hi all,
> >
> > As per the recent email on JWT, I'd like to look at the outstanding
> > issues surrounding anonymous PKINIT support in Kerby.
> >
> > a) Last year I raised concerns about the KDC not signing the response:
> >
> > https://www.mail-archive.com/kerby@directory.apache.org/msg00808.html
> >
> > Currently, we don't use the private key at all in the KDC when it is
> > configured as part of KdcConfigKey.PKINIT_IDENTITY. The spec says that:
> >
> > https://tools.ietf.org/html/rfc6112
> >
> > "If the KDC's signature is missing in the KDC reply
> > (the reply is anonymous), the client MUST reject the returned ticket
> > if it cannot authenticate the KDC otherwise."
> >
> > I don't really see how the client can authenticate the KDC as things
> > stand, so I think we need to sign the KDC response and enforce a
> > signature on the client side.
> >
> > b) From the MIT page:
> >
> > "If you need to enable anonymity support for TGTs (for use as FAST
> > armor
> > tickets) without enabling anonymous authentication to application
> > servers, you can set the variable restrict_anonymous_to_tgt to true in
> > the appropriate [realms] subsection of the KDC’s kdc.conf file."
> >
> > Is this supported by Kerby? I'm guessing not, but we should add
> > support for it.
> >
> > c) Is there a way to differentiate between anonymous + authenticated
> > PKINIT in the KDC configuration? What if you don't want to allow the
> > anonymous case?
> >
> > Colm.
> >
> >
> >
> > --
> > Colm O hEigeartaigh
> >
> > Talend Community Coder
> > http://coders.talend.com
> >
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
RE: Anonymous PKINIT support
Posted by "Zheng, Kai" <ka...@intel.com>.
Thanks Colm for the take. I'll try to bring up the context in my mind and give you some comments later.
Regards,
Kai
-----Original Message-----
From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
Sent: Friday, September 08, 2017 10:38 PM
To: kerby@directory.apache.org
Subject: Re: Anonymous PKINIT support
Now that I've finished the JWT access token work, it'd be nice to finish the Anonymous PKINIT side of things to get the Identity token part of it to work. Please review my questions below.
Colm.
On Tue, Jun 20, 2017 at 12:39 PM, Colm O hEigeartaigh <co...@apache.org>
wrote:
> Hi all,
>
> As per the recent email on JWT, I'd like to look at the outstanding
> issues surrounding anonymous PKINIT support in Kerby.
>
> a) Last year I raised concerns about the KDC not signing the response:
>
> https://www.mail-archive.com/kerby@directory.apache.org/msg00808.html
>
> Currently, we don't use the private key at all in the KDC when it is
> configured as part of KdcConfigKey.PKINIT_IDENTITY. The spec says that:
>
> https://tools.ietf.org/html/rfc6112
>
> "If the KDC's signature is missing in the KDC reply
> (the reply is anonymous), the client MUST reject the returned ticket
> if it cannot authenticate the KDC otherwise."
>
> I don't really see how the client can authenticate the KDC as things
> stand, so I think we need to sign the KDC response and enforce a
> signature on the client side.
>
> b) From the MIT page:
>
> "If you need to enable anonymity support for TGTs (for use as FAST
> armor
> tickets) without enabling anonymous authentication to application
> servers, you can set the variable restrict_anonymous_to_tgt to true in
> the appropriate [realms] subsection of the KDC’s kdc.conf file."
>
> Is this supported by Kerby? I'm guessing not, but we should add
> support for it.
>
> c) Is there a way to differentiate between anonymous + authenticated
> PKINIT in the KDC configuration? What if you don't want to allow the
> anonymous case?
>
> Colm.
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
RE: Anonymous PKINIT support
Posted by "Zheng, Kai" <ka...@intel.com>.
Really sorry for the very late follow on discussions. These are indeed good questions, my answers to them would be all yes.
Quite some time ago we did want to make develop complete PKINIT and then start the work with the Anonymous support. That's why besides the Kerberos related codes, we also worked out lots of PKI related codes like cms, pki and etc., then stopped somewhere due to priority adjustment.
Anonymous PKINIT support is interesting because it can be used to establish an armor channel for the JWT token support without introducing too much overhead, like no client side certificate. But still need KDC side's public key and the validation chain.
Thanks for catching and raising the issue that client hasn't validated the KDC's reply checking its signature. If we claim the feature is done and can work, the security issue should be fixed. However, I'm not sure how easy it is to fix the issue, Jiajia might be able to provide some hints, looks like she is working on the cross-realm support, which is another big feature Kerby leaves to attack.
For the two cases of PKINIT (anonymous or client authenticated via x509 certificate), I thought Kerby client should/could have separate APIs because they need different parameters and also rely on different configurations. So the KerbClient-KDC follow will be triggered in different two flows.
I'm not sure if this helps some bit, if necessary, I can try to have bandwidth to provide my review/clarification when possible. It would be great to fix the gaps, delivering the Anonymous PKINIT feature.
Regards,
Kai
-----Original Message-----
From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
Sent: Friday, September 08, 2017 10:38 PM
To: kerby@directory.apache.org
Subject: Re: Anonymous PKINIT support
Now that I've finished the JWT access token work, it'd be nice to finish the Anonymous PKINIT side of things to get the Identity token part of it to work. Please review my questions below.
Colm.
On Tue, Jun 20, 2017 at 12:39 PM, Colm O hEigeartaigh <co...@apache.org>
wrote:
> Hi all,
>
> As per the recent email on JWT, I'd like to look at the outstanding
> issues surrounding anonymous PKINIT support in Kerby.
>
> a) Last year I raised concerns about the KDC not signing the response:
>
> https://www.mail-archive.com/kerby@directory.apache.org/msg00808.html
>
> Currently, we don't use the private key at all in the KDC when it is
> configured as part of KdcConfigKey.PKINIT_IDENTITY. The spec says that:
>
> https://tools.ietf.org/html/rfc6112
>
> "If the KDC's signature is missing in the KDC reply
> (the reply is anonymous), the client MUST reject the returned ticket
> if it cannot authenticate the KDC otherwise."
>
> I don't really see how the client can authenticate the KDC as things
> stand, so I think we need to sign the KDC response and enforce a
> signature on the client side.
>
> b) From the MIT page:
>
> "If you need to enable anonymity support for TGTs (for use as FAST
> armor
> tickets) without enabling anonymous authentication to application
> servers, you can set the variable restrict_anonymous_to_tgt to true in
> the appropriate [realms] subsection of the KDC’s kdc.conf file."
>
> Is this supported by Kerby? I'm guessing not, but we should add
> support for it.
>
> c) Is there a way to differentiate between anonymous + authenticated
> PKINIT in the KDC configuration? What if you don't want to allow the
> anonymous case?
>
> Colm.
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Anonymous PKINIT support
Posted by Colm O hEigeartaigh <co...@apache.org>.
Now that I've finished the JWT access token work, it'd be nice to finish
the Anonymous PKINIT side of things to get the Identity token part of it to
work. Please review my questions below.
Colm.
On Tue, Jun 20, 2017 at 12:39 PM, Colm O hEigeartaigh <co...@apache.org>
wrote:
> Hi all,
>
> As per the recent email on JWT, I'd like to look at the outstanding issues
> surrounding anonymous PKINIT support in Kerby.
>
> a) Last year I raised concerns about the KDC not signing the response:
>
> https://www.mail-archive.com/kerby@directory.apache.org/msg00808.html
>
> Currently, we don't use the private key at all in the KDC when it is
> configured as part of KdcConfigKey.PKINIT_IDENTITY. The spec says that:
>
> https://tools.ietf.org/html/rfc6112
>
> "If the KDC's signature is missing in the KDC reply
> (the reply is anonymous), the client MUST reject the returned ticket
> if it cannot authenticate the KDC otherwise."
>
> I don't really see how the client can authenticate the KDC as things
> stand, so I think we need to sign the KDC response and enforce a signature
> on the client side.
>
> b) From the MIT page:
>
> "If you need to enable anonymity support for TGTs (for use as FAST armor
> tickets) without enabling anonymous authentication to application servers,
> you can set the variable restrict_anonymous_to_tgt to true in the
> appropriate [realms] subsection of the KDC’s kdc.conf file."
>
> Is this supported by Kerby? I'm guessing not, but we should add support
> for it.
>
> c) Is there a way to differentiate between anonymous + authenticated
> PKINIT in the KDC configuration? What if you don't want to allow the
> anonymous case?
>
> Colm.
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com