Heimdal

October 19, 2008

ok-as-delegate and GSS-API

Filed under: gss-api — lha @ 9:33 pm

Background

To forward your Kerberos credential from a gss-api client to a server you turn on the flag GSS_C_DELEG_FLAG. This will, as part of the authentication, forward your tickets to the server.

The problem is that you don’t want to turn on this just for every server your what to authenticate to, because most of them should probably not be trusted with your tickets.

To solve this Microsoft added an extention to the Kerberos, that was added to RFC4120 (The Kerberos protocol RFC). The extention is called ok-as-delegate and is a ticket flag. Using the flag the client can determine that the system administrator thinks about the host, if it should be delegated too or not.

Non Microsoft sites have been using GSS-API implementations that doesn’t honor the flag ok-as-delegate and most of them never has set the ok-as-delegate flag. In some cases the sites are using Kerberos implementations that doesn’t even support setting the ok-as-delegate flag in the Kerberos database.

Users at these sites have grown accustomed to the behavior ok GSS_C_DELEG_FLAG and changing the GSS-API implementation behind them to make GSS_C_DELEG_FLAG honor the ok-as-delegate flag will only make people upset.

New flag

What we can do it introduce a new flag GSS_C_DELEG_POLICY_FLAG that is defined to honor the flag ok-as-delegate.

The flag GSS_C_DELEG_POLICY_FLAG is a local flag that is never seen on the wire. And, its only used by the initator, the acceptor never see the flag.

There are four cases where GSS_C_DELEG_POLICY_FLAG and GSS_C_DELEG_FLAG interact with each other and the resulting return flags.

  • Neither flag set
    do nothing with regard to delegation
  • GSS_C_DELEG_FLAG set
    always try go delegate and set GSS_C_DELEG_FLAG in the return flags if successful
  • GSS_C_DELEG_POLIY_FLAG set
    try to delegate if ok-as-delegate is set, delegate and set GSS_C_DELEG_FLAG and GSS_C_DELEG_POLICY_FLAG in the return flags if successful
  • GSS_C_DELEG_FLAG and GSS_C_DELEG_POLIY_FLAG setalways try to delegate, set GSS_C_DELEG_FLAG if successful in the return flags if successful. Also, if successful and ok-as-delegate was set on the service ticket, set GSS_C_DELEG_POLICY_FLAG in the return flags.

Cross realm ?

What is missing is how ok-as-delegate and GSS_C_DELEG_POLICY_FLAG should work in the cross realm case. RFC4120 is quiet on this issue, the flag on ok-as-delegate doesn’t mean anything on the cross realm tgt. The question is how this should be dealt with.

The obvious answer is define a meaning on the cross realm tgt ticket for ok-as-delegate, but how will that interact with existing deployments.

Current behavior is for released MIT and heimdal is that the flag is ignored. For Microsoft clients is that they honor the flag for windows domains, and to external realms they allow delegation is a flag is set on the realm configuration on the client.

Any good ideas out there ?

October 12, 2008

DES will die in Heimdal 1.3

Filed under: Heimdal — lha @ 11:57 pm

A long long time ago DES was standardized (1973, before I was born). Some 30 years later (2003) is was withdrawn as a standard by NIST, today 5 years later, its time for DES to finally die. Last year you could brute force DES in 6.4 days by buying a machine for $10000. So last year was the time for you to migrate to better encryption types for your Kerberos realm.

If you really are in love with DES and can’t stand to be without it, now its the time to add “[libdefaults] allow_weak_crypto = true”to your configuration file so that your love wont die when you upgrade next time. If you want to check your configuration, the code is already commited to trunk in the source repro.

Application that will stop working are old Kerberos 4 tools and telnet/telnetd.

Heimdal-1.3 will deprecate DES

PS there is an exception for AFS to allow it still to use DES encryption types.

October 5, 2008

Do you want Heimdal to speak Swedish to you ?

Filed under: Heimdal — lha @ 11:52 pm

As part of Heimdal 1.3 we have been adding i18n support to the base libraries and some of the Kerberos user utilites using GNU Gettext. It should also work with other localization packages like the MacOS X CoreFoundation’s CFCopyLocalizedString with some minor code hacking.

We that work on Heimdal only know Swedish and English, so can can help translate the error strings. You don’t need to download special tool, just go to Heimdal at launchpad and you translate the strings there. Just let us know that you have started to do the work so that we will remember to download your translations before release (or when you want to sync to you can test how it feels to get heimdal in your language.

Adding support for referrals in GSS-API

Filed under: gss-api — lha @ 8:19 pm

We can implement referrals support for Kerberos mk_req API or do it for GSS-API. For me its an easy choice, most consumers uses GSS-API, lets go for that.

DNS canonicalition happens when we pass in a GSS_C_NT_HOSTBASED_SERVICE based name into gss_import_name(), so its only that case we really need to care about. DNS canonlisation is done by krb5_sname_to_principal(), see documentation in Heimdal trunk.

The simple solution is that in gss_import_name() we the hostname to krb5_sname_to_principal(), instead we mark up the principal as magic-unresolved. Now there are some places where we should return the name in its native form, and that is after gss_init_sec_context() is done by gss_inquire_context(), and gss_canonicalize_name(). We also need to deal with these magic-unresolved names in gss_acquire_cred() and gss_export_name().

So lets go over the four cases when we have a magic-unresolved.

gss_init_sec_context(), we try first to get Kerberos credentials using TGS-REQ using the sort name and hope that its an valid alias, if no, we call back to the old way with krb5_sname_to_principal(). Right, we update the name in the context to what we used.

gss_acquire_cred() same thing here, first try literal, then krb5_sname_to_principal().

gss_inquire_context(), this is simple gss_init_sec_context() will have solve the problem for us, just copy out the string.

gss_canonicalize_name() here we don’t have a chance, so I guess, we want to have the canonicalized name, so I used the krb5_sname_to_principal() to canonicalize the name.

So where to store this magic-unresolved bit ? Well it happens to be so that the Kerberos gss-api mech uses Kerberos principals (krb5_principal) so there no extra bit where we can save the info. So, instead we hook the krb5_principal name type field and misuse that. Any time we will export or use the principal, we’ll convert back to KRB5_NT_SRV_HST that it would have been if we used krb5_sname_to_principal().

September 27, 2008

Kerberos ticket extentions

Filed under: kerberos protocol — lha @ 2:11 pm

Last Sunday I updated the draft Kerberos ticket extensions to version -02.

Ticket extentions are to enable PK-CROSS and other applications that want to send clear text data in the ticket between the KDC and the server.

The update included and extension to the Kerberos protocol, a much cleaner extention protocol wise, at the same time it requires update clients. The reason I did both was the comment from Ken Raeburn that though the new protocol was horrible (which it is) and Kerberos should stay pretty, so I made the protocol stay pretty.

There is still the issue with protection, may I just should just give up making it truly extensionally and just include a checksum using the same key as the Ticket.enc-data is encrypted with.

September 22, 2008

PKINIT works with Samba4 + windows XP

Filed under: Heimdal — lha @ 6:43 am

Today we got a patch from Sho Hosoda that add back the Windows XP SP2 support to Heimdal PK-INIT support. With this we can use smart cards to logins a Samba4 domain, this is way cool and why we started this work several years ago.

http://www.h5l.org/fisheye/changelog/heimdal/?cs=23861

September 19, 2008

Referrals

Filed under: kerberos protocol — lha @ 12:10 pm

This is something I brough up at IETF72 in Dublin, Ireland.

Kerberos (in the non Microsoft world) have always used DNS map to Kerberos principals. Sam Hartman describes the issue more here: http://www.painless-security.com/blog/2008/08/krb-dns/

My idea doesn’t come from how to secure Kerberos (I already know that using DNS is bad), it comes from how to make Kerberos useful for users in the transition. Having client configuration really sucks, its horrible and a really pain to upgrade, and when you think you solved it, someone installs a old krb5.conf that “have always worked” and was ”needed for some reason I can’t remember”. The reason it worked was because they forced the client to not upgrade, and the reason is that they have a broken application that can’t do the right thing. Do I sound bitter, well, kind of.

My idea is that the realm annouces in the krb5tgt that is support referrals and all entires are populated that the clients are supposed to be allowed to use. Ie, both host/shell@EXAMPLE.COM and host/shell.example.com@EXAMPLE.COM are in the Kerberos database. So when then user types in ssh shell, the library should just ignore that.

I’ve been experimenting with Heimdal to do this and have come some futher then when I talked at IETF with regard to practical problem.

First its hard to know what realm you are going to end up in, mostly because the interactions between name selection, dns canonlisation and referrals. The old way was simple:

  1. host = getnamebyaddr(getaddrbyname(hosthost))
  2. target = { service, host } @ getrealmforhost(host)
  3. ticket = get-service-ticket(target)

Using what the user provided seems simple.

  1. target = { service, hostname } @ get-realm(client-tgt)
  2. ticket = get-service-ticket(target)
  3. if ticket == null and compat: then ticket = old-method(hostname)
  4. use ticket

where get-service-ticket is this:

  1. tgt = get-tgt(client-principal)
  2. service-ticket = tgs-req(tgt, target, [canon])
  3. if (referrals(service-tkt)): then update(target, tgt = service-ticket), goto 2
  4. return service-ticket

So lets say we are the user foo@FOO.COM and we want to login to
the machine shell.

shell (aka shell.foo.com) is really part of BAR.COM service and since FOO.COM’s KDC knows that, its going to return a referral.

We are getting a referrals back, and the referral say that we should go to BAR.COM and what target principal to use.

In the AD world this is simple, all SPNs are part of the global catalog, so all KDC in the forest can figure out what the user really wanted. IN a pure Kerberos enviroment, its not that simple since this helicopter-view of the worlds doesn’t exist. So in the pure environment we can’t use short names when the short name is in another realm. We can only do hostname to realm mappings. Also note that the Global catalog on spans a forest, so in the multi-forest environment, Windows KDC also resolves to mapping full names into DNS names.

So a flag in the credential cache is probably a good idea to tell the client to turn off DNS-canon, but on the other hand, if the KDC turns on this flag, it also better support referrals and have a global view for its referral world if it want to support non-fqdn types of names.

Heimdal have had server referral for quite some time now, MIT Kerberos have not (they have it in the client though).

September 15, 2008

GSS_C_DELEG_POLICY_FLAG and cross realm

Filed under: gss-api, kerberos protocol — lha @ 3:09 pm

I’ve been working on the draft for GSS_C_DELEG_POLICY_FLAG lately. One thing I have added is th reason why we need this document. This was requested by reviewers.

Its for legacy deployments that can’t update Kerberos today and can’t/don’t want to change behavior.

Getting the flag defined and the behavior clarified is only the first step of this process. The second is to make sure it works in the cross realm case too. The proposal I have is to make it an MUST that all intermediate cross realm tgt tickets also have ok-as-delegate flag set. It seems Microsoft does it that was and I’ve asked them if I’ve read their spec is correctly.

September 21, 2007

gssmaestro

Filed under: gss-api — admin @ 10:00 pm

I have started to merge the Samba GSS-API change from Andrew Bartlet and Stefan Metzmacher. As part of that work I have completed most of the basic work of my clone of gssmaggot/gssmaster that David Christansson (Microsoft) have written.

 The problem with gssmaster is that its not released in source-code format, so I wrote my own client (gssmask) and server (gssmaestro). gssmaestro is not as complete that I wish, but test most of the context and token functionallity in the gss-space.

I plan to use gssmask/gssmaestro to test with gssmaggot, this way I can make sure I don’t break anything, and at the same time still work with Microsofts and MIT gssapi implementations. This is what we do for the interrop events, but usually with new and shiny code.

There is also a new regression test that uses the gssmask/gssmaestro test program in heimdal/tests/gss directory and its hooked up to the regular automake regression tests, so hopefully I wont break the basic gss-api functions ever again.

July 4, 2007

Symbol versioning

Filed under: Heimdal — admin @ 12:04 pm

I’ve started to add symbol versioning to heimdal libraries to avoid exporting symbols all over the place.

 This have some bad side effekts. As usual there is not just one format for the file. The gnu ld one is what I currently support, so I have to munch the gnu file and produce a flat-file too (for Mac OS X).

 The other that is causing more problems is that its no longer possible to unit test internal functions, because libraries that no longer export those symbols. Right now I have no real solution to the problem. One is to build a library without symbol versoning and test with that. Other is to just build that module, but that doesn’t work with libtool since libtool requires object files to be of the same type. Ie a object can’t belong to a binary and a library at the same time. Beloning to to  two library or two binaries are fine though. But building two files doesn’t really appeal to me, I’m waiting long enough as it is already. Currently I just export the function and hope that consumers wont use them.

« Newer PostsOlder Posts »

Powered by WordPress