Heimdal

Or how to talk to the Kerberos KDC over your appliation protocol

Talking to the KDC with no network

Sometimes you want to talk to the KDC when there is limited or direct network. Or your application simply knows better how to communicate with the KDC.

For example, if it was possible to use EAP with GSS-API so it run Kerberos initial ticket fetching over the EAP channel, this is not so far off given the new IAKERB gss-api mechanism that Larry Zhu is proposing (currently in last call). With his mechanism you can talk to the KDC and get initial and service tickets for a service over a gss-api channel.

First the when you login to the network using EAP the network topology looks like this:

Client ---[EAP over wavelan]---> Wavelan access point ---[radius]---> Radius server

First you authenticate to the radius server, and the radius server tells the access point to let you out on the network, and then you get a IP address from the DHCP server. So why doesn’t this fit together with the Kerberos stack.

In the classial appliation the world looks like this:

Application -> GSS-API -> Kerberos mechanism <--[Kerberos protocol]--> KDC
                 |
              [token]
                 |
  appl <---------/
   |
   |
   \
    ------[application protocol]---->  server

But when you are in an about to use EAP to login to the network, theKerberos mechanism have no way to talk to the KDC, the only channel you have EAP the channel to the Radius server.

So the obvious solution is to let the Kerberos mechanism talk though the EAP channel over the the Radius server, and have the radius server forward over the packets over the the KDC.

The problem with Kerberos krb5_get_init_creds()

The Kerberos function krb5_get_init_creds() is that it expect to be able to resolve the DNS information to the KDC and then talk to the KDC to get initial tickets, so deep inside the function there is a function that will send of a packet the the KDC.

As described above, this wont work since the Kerberos library have no network connection to the KDC, it have to talk to the KDC thought the GSS-API layer.

The replacement function, krb5_init_creds()

So the new function krb5_init_creds() and krb5_init_creds_step() instead of sending of the packet to the KDC, return the packet that is supposed to be sent off to the KDC, and the expect the caller to call
krb5_init_creds_step() with whatever the KDC returned. There is a helper function that does all this: krb5_init_creds_get().

So krb5_get_init_creds_password() is now implmented in terms of the new functions. And is as described below.

krb5_get_init_creds_password()
{
   krb5_init_creds_init(&ctx);
   krb5_init_creds_get(ctx);
   krb5_init_creds_free(ctx);
}

krb5_init_creds_get(ctx)
{
    while(1) {
       ret = krb5_init_creds_step(ctx,inpacket, &outpacket);
       if (ret != CONTINUE)
         break;
       krb5_send_to_kdc(outnpacket, &inpacket);
    }
}

GSS-API usage of krb5_init_creds_step()

This way GSS-API mech can take advantage of the split stack and instead of sending the packet to the KDC, send of the packet over to GSS-API peer and when it get back the reply, stuff the answer back into krb5_init_creds_step() to continue the dance. 

Application -> GSS-API <–> Kerberos mechanism

                 |
              [token]
                 |
  appl <---------/
   |
   |
   \
    ------[application protocol]---->  server <--[Kerberos protocol]--> KDC

Now, someone just need to implement IAKERB to use this functionallity.

I’ve created a new API to the krb5_ functions, its for storing Kerberos related data in the credential cache.

• Realm configuration that is fetched runtime, for that the target is a domain that only should have Kerberos canonlization done and not dns canonlization
• Forwarded tickets, to avoid re-fetching the from the KDC

krb5_cc_get_config
krb5_is_config_principal
krb5_cc_set_config

There is a patch for MIT Kerberos that also includes this interface, so hopefully it will be included in MIT Kerberos 1.7.

A long long time ago DES was standardized (1973, before I was born). Some 30 years later (2003) is was withdrawn as a standard by NIST, today 5 years later, its time for DES to finally die. Last year you could brute force DES in 6.4 days by buying a machine for $10000. So last year was the time for you to migrate to better encryption types for your Kerberos realm.

If you really are in love with DES and can’t stand to be without it, now its the time to add “[libdefaults] allow_weak_crypto = true”to your configuration file so that your love wont die when you upgrade next time. If you want to check your configuration, the code is already commited to trunk in the source repro.

Application that will stop working are old Kerberos 4 tools and telnet/telnetd.

Heimdal-1.3 will deprecate DES

PS there is an exception for AFS to allow it still to use DES encryption types.

As part of Heimdal 1.3 we have been adding i18n support to the base libraries and some of the Kerberos user utilites using GNU Gettext. It should also work with other localization packages like the MacOS X CoreFoundation’s CFCopyLocalizedString with some minor code hacking.

We that work on Heimdal only know Swedish and English, so can can help translate the error strings. You don’t need to download special tool, just go to Heimdal at launchpad and you translate the strings there. Just let us know that you have started to do the work so that we will remember to download your translations before release (or when you want to sync to you can test how it feels to get heimdal in your language.

Today we got a patch from Sho Hosoda that add back the Windows XP SP2 support to Heimdal PK-INIT support. With this we can use smart cards to logins a Samba4 domain, this is way cool and why we started this work several years ago.

http://www.h5l.org/fisheye/changelog/heimdal/?cs=23861

I’ve started to add symbol versioning to heimdal libraries to avoid exporting symbols all over the place.

 This have some bad side effekts. As usual there is not just one format for the file. The gnu ld one is what I currently support, so I have to munch the gnu file and produce a flat-file too (for Mac OS X).

 The other that is causing more problems is that its no longer possible to unit test internal functions, because libraries that no longer export those symbols. Right now I have no real solution to the problem. One is to build a library without symbol versoning and test with that. Other is to just build that module, but that doesn’t work with libtool since libtool requires object files to be of the same type. Ie a object can’t belong to a binary and a library at the same time. Beloning to to  two library or two binaries are fine though. But building two files doesn’t really appeal to me, I’m waiting long enough as it is already. Currently I just export the function and hope that consumers wont use them.

In the last few days me and Klas have worked on improving the KDC digest stuff. It will be used together with Radiator to provide 802.1X/EAPOL login at Stockholm University. The interface now supports CHAP, MS-CHAP-V2 and SASL DIGEST-MD5 in addition to the NTLM versions. The only new system is MS-CHAP-V2 but I also changed the digest protocol from experience from the NTLM work.

Heimdal 0.8 release is progressing nicely (wrote code 22 out of 31 days in January), there is not much I feel needs to be fixed before the release and I’ve been working on portability fixes in addition to the KDIGEST work since the heimdal 0.8 branch was cut. There is some new functionallity on the HEAD that wont be in 0.8 release, like the Kerberos PRF, mainly because there have been no interop testing. That how valueable test vectors in RFCs are.

The info manual pages have been cleaned up and now they are generated each night for the diffrent branches that I maintain. hx509 needs some more text but is a good start, I’m starting to get concerted about the complexity of the hxtool issue-certificate tool, its should be simpler that it is but the X.509 folks have just dreamed up too many options and features. The manual pages (formated in mdoc) still needs to htmlized and published on the web, but that will have to wait util I find a good way to do it (ie part of the build system).

After the Heimdal 0.8 release the CVS tree will be converted into subversion tree and moved to Stockholm University and IT och Media, but because CVS is so bad for us, its mainly because of that subversion is faster to use for large repositories. I can’t feel that changing to subversion is a downgrade, subversion doesn’t give me O(1) time sandboxes (it provides O(1) branches, that doesn’t help me, still need to check out the tree). I want to have a source code revision system, not a revisioned filesystem. Anyway, subversion will have to do for now.

Now that Heimdal can generate certificates I added KCA functionallity to the KDC. KCA is a service that allows you to convert your Kerberos ticket into a X.509 certificate that have the same lifetime as your ticket, its a Kerberosized CA, hence the name, KCA. The wire-protocol in Heimdal in compatible with the orignal KCA/kx509.

Heimdals KCA service is built into the KDC. To configure the service you need to give it a CA certificate to sign the requests with and a template certificate. The KDC will replace variables in the Subject DN in the template certificate, currently there is only one variable, ${principal-name}. This will change in the future when I manged to push in more info into the HDB, like the users real name.

$ hxtool print FILE:template.pem
cert: 0
private key: yes
issuer:  "UID=${principal-name},DC=test,DC=h5l,DC=se"
subject: "UID=${principal-name},DC=test,DC=h5l,DC=se"
serial: 105CB1ACF89E6AFBDC6AF386684B9FEC652E3432
keyusage: keyEncipherment, digitalSignature

Currently there is no client nor documentation, that will change soon.

Talking about manuals, now there are uptodate (regenerated several times a day) manuals for Heimdal and hx509.

hx509 and hcrypto have both in the last two months been given an overhaul and are now self bootstraping. Needless to say, neither of the two packages are perfect, but we are getting to closer to same level of functionality as the rest of the Heimdal suite of applications and libraries.

hxtool can now both read and create PEM and PKCS11 files containing both certificates and private keys. Neither of formats will end up containing encrypted keys (ie shrouded PKCS8 keys), so that is a feature that must be added.

And talking about private keys, hcrypto now uses RSA key blinding and CRT for private key operations, makes quite a lot difference in performance and security. I also added RSA key generation, that is really the last two missing bits that makes hcrypto useful.

The coolest feature is also the most basic in the X.509 world. libhx509 and hxtool now can print certificates. It would be boastful to call is a CA software because some important tools are not there yet, for example a CRL and OSCP generation tools and certificate store handling.

There is two reason why I wrote this extension to hx509. First reason was I wanted a simple way to setup a PK-INIT realm and using OpenSSL as a CA only causes pain for most users, its very hard to get the generated certificates right and openssl lets you get away with it too. Second reason is that I needed a simple way to generate certificates for another part of Heimdal, kca (more about that later).

What hxtool do for us then ? It will let you issue certificates with a simple interface using default templates.

To generate a CA certifiate with RSA key that is valid for 10 years, this is the command you would use.

hxtool issue-certificate \
    –self-signed \
    –issue-ca \
    –generate-key=rsa \
    –subject=”CN=CA,DC=h5l,DC=se” \
    –lifetime=10years \
    –certificate=”FILE:ca.pem”

Now you have a CA certificate with its private key in the PEM file ca.pem. Now you say, what makes this hx509 so much simpler to use then OpenSSL. The answer is the default values and builtin profiles, let take the example with the KDC PK-INIT certificate. It needs to have this EKU (extended key usage) and a special SAN (Subject Alternative Name) for PK-INIT. hxtool will help you generate that certificate with some simple command options, it wont give you total control over the certificate creation process, but for most users that is not really interesting, they just want to have certificates.

hxtool issue-certificate \
    –ca-certificate=FILE:ca.pem \
    –generate-key=rsa \
    –type=”pkinit-kdc” \
    –pk-init-principal=”krbtgt/H5L.SE@H5L.SE” \
    –subject=”uid=kdc,DC=h5l,DC=se” \
    –certificate=”FILE:kdc.pem”

Writing a certificate issuing code when you have a X509 verifier, a crypto library and a sane ASN.1 compiler is very simple. It took me about 3 days from no code to a somewhat working software, now, 12 days later while also working with other thing, its good enough to tell people about it.

Next item will be to write a sane manual how to use this software. Since hxtool is such a small tool the manual will be short too, it will be another texinfo manual about how to use hxtool to serve your basic CA needs. Creating a CA and issueing certificates to user and services.

There will always be missing functionallity to hx509, the PKIX people have started to write standard too long ago for me to catch up.

For some time now I’ve been working on a new subsystem in the KDC for remotely validating digest credentials for a user. Right now it support CHAP (MD5), SASL DIGEST-MD5, HTTP DIGEST and NTLM (version 1 and 2)

It allows a server to validate a users digest without knowing the password directly, it can delegate the authentication to the KDC.

A coworker of mine used to build a proof-of-concept patch till the radius server Radiator that uses the new digest protocol to support the EAP-CHAP mechanism.

The digest protocol also support sending back Kerberos credentials in the protocol, so for example a WEB-DAV server using HTTP digest authentication can get an AFS ticket back that it can use to authenticate to AFS. This way the user limited service ticket (not the full KRBTGT) will get exposed to service, and only services that the user actually authenticated too.

The NTLM authentication is a slight different beast. After the context exchange (The NTLM type 1, 2 and 3 packets) the KDC sends back the session key material (if that was negotiated) to the server. This way the server also can provide session security to the client without dealing with the KDC any more. To test this I wrote a GSS-API mechanism that looks like the NTLMSSP in SSPI, it support both initiators and acceptors, session security. It was really really useful to debug SPNEGO so it have defiantly served its purpose even if it never will get used.

The interface is exposed in the library as the krb5_digest and the krb5_ntlm interfaces, its not a very large interface and it only uses opaque data types to enable us to add new digest types in the future. There is also a binary, <b>kdigest</b> that let the server access this from a shell/Perl script without interfacing with any c-code.