Heimdal

In the last few days me and Klas have worked on improving the KDC digest stuff. It will be used together with Radiator to provide 802.1X/EAPOL login at Stockholm University. The interface now supports CHAP, MS-CHAP-V2 and SASL DIGEST-MD5 in addition to the NTLM versions. The only new system is MS-CHAP-V2 but I also changed the digest protocol from experience from the NTLM work.

Heimdal 0.8 release is progressing nicely (wrote code 22 out of 31 days in January), there is not much I feel needs to be fixed before the release and I’ve been working on portability fixes in addition to the KDIGEST work since the heimdal 0.8 branch was cut. There is some new functionallity on the HEAD that wont be in 0.8 release, like the Kerberos PRF, mainly because there have been no interop testing. That how valueable test vectors in RFCs are.

The info manual pages have been cleaned up and now they are generated each night for the diffrent branches that I maintain. hx509 needs some more text but is a good start, I’m starting to get concerted about the complexity of the hxtool issue-certificate tool, its should be simpler that it is but the X.509 folks have just dreamed up too many options and features. The manual pages (formated in mdoc) still needs to htmlized and published on the web, but that will have to wait util I find a good way to do it (ie part of the build system).

After the Heimdal 0.8 release the CVS tree will be converted into subversion tree and moved to Stockholm University and IT och Media, but because CVS is so bad for us, its mainly because of that subversion is faster to use for large repositories. I can’t feel that changing to subversion is a downgrade, subversion doesn’t give me O(1) time sandboxes (it provides O(1) branches, that doesn’t help me, still need to check out the tree). I want to have a source code revision system, not a revisioned filesystem. Anyway, subversion will have to do for now.

Now that Heimdal can generate certificates I added KCA functionallity to the KDC. KCA is a service that allows you to convert your Kerberos ticket into a X.509 certificate that have the same lifetime as your ticket, its a Kerberosized CA, hence the name, KCA. The wire-protocol in Heimdal in compatible with the orignal KCA/kx509.

Heimdals KCA service is built into the KDC. To configure the service you need to give it a CA certificate to sign the requests with and a template certificate. The KDC will replace variables in the Subject DN in the template certificate, currently there is only one variable, ${principal-name}. This will change in the future when I manged to push in more info into the HDB, like the users real name.

$ hxtool print FILE:template.pem
cert: 0
private key: yes
issuer:  "UID=${principal-name},DC=test,DC=h5l,DC=se"
subject: "UID=${principal-name},DC=test,DC=h5l,DC=se"
serial: 105CB1ACF89E6AFBDC6AF386684B9FEC652E3432
keyusage: keyEncipherment, digitalSignature

Currently there is no client nor documentation, that will change soon.

Talking about manuals, now there are uptodate (regenerated several times a day) manuals for Heimdal and hx509.

For some time now I’ve been working on a new subsystem in the KDC for remotely validating digest credentials for a user. Right now it support CHAP (MD5), SASL DIGEST-MD5, HTTP DIGEST and NTLM (version 1 and 2)

It allows a server to validate a users digest without knowing the password directly, it can delegate the authentication to the KDC.

A coworker of mine used to build a proof-of-concept patch till the radius server Radiator that uses the new digest protocol to support the EAP-CHAP mechanism.

The digest protocol also support sending back Kerberos credentials in the protocol, so for example a WEB-DAV server using HTTP digest authentication can get an AFS ticket back that it can use to authenticate to AFS. This way the user limited service ticket (not the full KRBTGT) will get exposed to service, and only services that the user actually authenticated too.

The NTLM authentication is a slight different beast. After the context exchange (The NTLM type 1, 2 and 3 packets) the KDC sends back the session key material (if that was negotiated) to the server. This way the server also can provide session security to the client without dealing with the KDC any more. To test this I wrote a GSS-API mechanism that looks like the NTLMSSP in SSPI, it support both initiators and acceptors, session security. It was really really useful to debug SPNEGO so it have defiantly served its purpose even if it never will get used.

The interface is exposed in the library as the krb5_digest and the krb5_ntlm interfaces, its not a very large interface and it only uses opaque data types to enable us to add new digest types in the future. There is also a binary, <b>kdigest</b> that let the server access this from a shell/Perl script without interfacing with any c-code.

After more then a year of hard work from me, Andrew Bartlett and the rest of the samba folks we have finally merged all major changes from the Samba tree into Heimdal. The diff between the two tree are now less the 400 lines which is nothing compare to the 50000+ line diff that we ended up with from the begining.

Heimdal have grown itself new subsystem, the PAC handling, and hooks for processing in other application and improvements to GSS-API.

In the future I’ll work on canonicaliztion since this is the next big item. It already exists in the KDC and Kerberos library today, but it needs to expanded to support all the new functionallity that a domain controller require. To be able to support this I’ll need to a large regression test to test how the canonicalization actully works in Windows and along with that come many new tests how Windows deals with Kerberos.

Yesterday I commited a tool to heimdal called kimpersonate that I
wrote about 5 years ago, that even before I was a Heimdal developer, I
even wrote a manpage for it. Its rather short, about 330 lines,
including copyright and command parsing. I use it as part of the
regression suite in Heimdal. To run the regression suite yourself, run
make check in the toplevel directory.

kimpersonate prints Kerberos tickets for a user given a keytab (or
AFS keyfile). An example how to use kimpersonate show better what the
tool can do.

datan# kimpersonate -s host/nutcracker.it.su.se@SU.SE -c lha/root@SU.SE -t des3-cbc-sha1 -5 --ccache=FILE:/tmp/cache -k FILE:nutcracker-keytab
datan# klist -c FILE:/tmp/cache
Credentials cache: FILE:/tmp/cache
Principal: lha/root@SU.SE
Issued           Expires          Principal
Sep 19 08:22:52  Sep 19 09:22:52  host/nutcracker.it.su.se@SU.SE
datan# ssh -l root nutcracker.it.su.se
nutcracker#

So don’t get your keytab’s stolen, but you already knew that.

Also, today I enabled PK-INIT by default, now it have to be turned off when running configure.

What is life without some ASN.1 compiler hacking, last week I got intensely bored of writing code that appends another element to the list of entries so I spent 2 hours extending the ASN.1 compiler in Heimdal to generate add_ and removal_ functions for all SEQ OF types. So far it have only allowed me to remove code and not to not write it, but its still a very useful feature. Just like the –preserve-binary= feature, the –sequence= option have to be turned on explicitly for all types where its required.

I’ve been tinkering with smartcard support the last week. Michael Alexander and Douglas Engert both helped me debug and diagnose all the problems that keep coming up, thanks for the work guys.

I had misunderstod how PKCS11 worked with objects and thought they were presistent over sessions, it was quite easy to change the code to cache the session, but suddely is became much harder to get threading support right.

There is also a “feature” in PK-INIT that I’m not sure I like. When doing the Encrypted session key the reply message is encrypted with the private key of the certificate, even in the case then the certificate is a signing only certificate. That means that if there is a smartcard that accully enforces the signing only policy of the CA, PK-INIT wont work for that card. All this is solved using DH, and that is was windows vista will do. But until microsoft get their act togheter and releases Vista, we have to live with this.

The hx509 lib now have greatly improved error messages and I added more support in the softare pkcs-11 token I have do emulate the diffrent session/diffrent object behavior of activecard smartcards.

Some time since I wrote about what I’ve been working on with Heimdal. I was away for WWDC06 and had some 2weeks vaction so a month went way doing nothing (that is a good thing).

A new feature I’ve added a week ago was the digest authentication in the KDC, basicly it allows a server, like a Webdav server to delegat the http digest authenticiation to the KDC, then there is only one place you need to store the password.

This have a side-effect of beeing able to return a tickets from the KDC to the server. That will allow AFS sites to use digest auth (the mandetory to implement feature in webdav) to their webdav servers and at the same time export AFS. The way you did this before was that you stored the AFS keyfile on the webdav server and printed the tickets there. This is very scary when you think about what would happen if the webdav server ever was compromised.

There is both a library interface in libkrb5 (krb5_digest) and a binary (kdigest) that can be used to access the service in the KDC.

I still need to do some more testing, but most of the code should already be functional.

Oh, right, hopefully I got the channelbindings for http auth right, so when that is work completed it should just work.