Dr. Greg Wettstein
2017-01-29 09:52:32 UTC
Good morning, I hope this note finds everyone's day going well.
We wanted to bounce this issue off the Kerberos development community
to find out if we are dealing with a regression in the Kerberos PKINIT
code or misinterpretation of the issue on our part.
We maintain the Hurdo package which implements Kerberos credential
authenticated sudo support over OpenSSH. The package can be found at
the following URL:
ftp://ftp.hurderos.org/pub/Hurdo/Hurdo-0.3.0.tar.gz
This package implements support for authenticating a sudo privilege
escalation with a short lived Kerberos service ticket sent over an
OpenSSH local message channel. It provides a framework for using
Kerberos to authenticate sudo requests without the risk of horizontal
privilege escalation in the event of a compromised host. It includes
support for propagating the requests through bastion or 'jump' hosts.
Version 0.3 has full support for PKINIT but in our testing of
'instance' principals of the following form:
sudo/***@REALM
kinit returns the following error:
Client name mismatch while getting initial credentials.
We have confirmed that this persists through the 1.14.4 Kerberos
release.
With debug enabled in the pkinit.so pre-authentication module we have
traced the problem to the verify_client_san() function which ends up
trying to compare the following two principals:
sudo\/***@REALM
sudo/***@REALM
Which obviously fails.
Examining the certificate in DER form indicates the principal name is
encoded as sudo/***@REALM as is desired. It appears something goes
wrong in the following function:
pkinit_crypto_openssl:crypto_retrieve_X509_sans()
Which generates the 'backslash protected' instance principal from the
Subject Alternate Name supplied principal in the pre-authentication
certificate.
We will keep tracing this but wanted to verify that this was not some
intentionally desired behavior by the Kerberos developers. If so was
there a decision to deny use of instance principals for PKINIT?
We will look forward to any reflections the development community may
have. Including a patch if someone else has managed to run into
this... :-)
Have a good week.
Greg
As always,
Dr. G.W. Wettstein, Ph.D. Enjellic Systems Development, LLC.
4206 N. 19th Ave. Specializing in information infra-structure
Fargo, ND 58102 development.
PH: 701-281-1686
FAX: 701-281-3949 EMAIL: ***@enjellic.com
------------------------------------------------------------------------------
"So you got your butt kicked by an 'old' guy.
Before you taunted him did it ever cross your mind that the $1200
Schmoelke aero-bars he was laying on and the $900 Rocket7 cycling
shoes he was wearing might mean that the $10,000 custom bike frame he
was riding might be used for more than transportation to the Dairy
Queen each night for a Dilly Bar?"
-- Dr. G.W. Wettstein
Resurrection
We wanted to bounce this issue off the Kerberos development community
to find out if we are dealing with a regression in the Kerberos PKINIT
code or misinterpretation of the issue on our part.
We maintain the Hurdo package which implements Kerberos credential
authenticated sudo support over OpenSSH. The package can be found at
the following URL:
ftp://ftp.hurderos.org/pub/Hurdo/Hurdo-0.3.0.tar.gz
This package implements support for authenticating a sudo privilege
escalation with a short lived Kerberos service ticket sent over an
OpenSSH local message channel. It provides a framework for using
Kerberos to authenticate sudo requests without the risk of horizontal
privilege escalation in the event of a compromised host. It includes
support for propagating the requests through bastion or 'jump' hosts.
Version 0.3 has full support for PKINIT but in our testing of
'instance' principals of the following form:
sudo/***@REALM
kinit returns the following error:
Client name mismatch while getting initial credentials.
We have confirmed that this persists through the 1.14.4 Kerberos
release.
With debug enabled in the pkinit.so pre-authentication module we have
traced the problem to the verify_client_san() function which ends up
trying to compare the following two principals:
sudo\/***@REALM
sudo/***@REALM
Which obviously fails.
Examining the certificate in DER form indicates the principal name is
encoded as sudo/***@REALM as is desired. It appears something goes
wrong in the following function:
pkinit_crypto_openssl:crypto_retrieve_X509_sans()
Which generates the 'backslash protected' instance principal from the
Subject Alternate Name supplied principal in the pre-authentication
certificate.
We will keep tracing this but wanted to verify that this was not some
intentionally desired behavior by the Kerberos developers. If so was
there a decision to deny use of instance principals for PKINIT?
We will look forward to any reflections the development community may
have. Including a patch if someone else has managed to run into
this... :-)
Have a good week.
Greg
As always,
Dr. G.W. Wettstein, Ph.D. Enjellic Systems Development, LLC.
4206 N. 19th Ave. Specializing in information infra-structure
Fargo, ND 58102 development.
PH: 701-281-1686
FAX: 701-281-3949 EMAIL: ***@enjellic.com
------------------------------------------------------------------------------
"So you got your butt kicked by an 'old' guy.
Before you taunted him did it ever cross your mind that the $1200
Schmoelke aero-bars he was laying on and the $900 Rocket7 cycling
shoes he was wearing might mean that the $10,000 custom bike frame he
was riding might be used for more than transportation to the Dairy
Queen each night for a Dilly Bar?"
-- Dr. G.W. Wettstein
Resurrection
--
_______________________________________________
krbdev mailing list ***@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
_______________________________________________
krbdev mailing list ***@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev