Writing gss mechanism - Kerberos user2user

Discussion:

Idan Freiberg

2017-02-05 06:21:19 UTC

Hello all,

I'm working on an implementation for Kerberos user2user mechanism, in order
to be able to interop with MS requests as such.

Talking with Simo, kaduk @ irc, I was advised to add it as a seperate .so
module.
While it is possible, i'm not sure its the right way. One reason for that
is because MS doesn't specify user2user mech as a seperate mech in
MechTypes (NegoTokenInit).
They actually ask for official krb5 or mskrb5 oids, then they include the
user2user token as the MechToken of the request.

That made me think u2u should be hooked in gssapi_krb5.

On the other hand, looking at gss-ntlmssp by Simo, I find that a support
was added into gssapi itself in order to detect that mech when
NegoTokenInit comes in (altough thats a different way of detection), so i
might be wrong about my the above.

Can you share your thoughts about that one?

--
Idan Freiberg

PGP FP: 8108 7EC9 806E 4980 75F2 72B3 8AD3 2D04 337B 1F18
_______________________________________________
krbdev mailing list ***@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev

Greg Hudson

2017-02-05 16:27:48 UTC

Permalink

Post by Idan Freiberg
While it is possible, i'm not sure its the right way. One reason for that
is because MS doesn't specify user2user mech as a seperate mech in
MechTypes (NegoTokenInit).
They actually ask for official krb5 or mskrb5 oids, then they include the
user2user token as the MechToken of the request.

That's a little surprising. Is there any Microsoft documentation on
this u2u mechanism? I wasn't able to find any.
draft-ietf-cat-user2user-02 (which is ancient) gives a different OID for
use with SPNEGO.

_______________________________________________
krbdev mailing list ***@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev

Idan Freiberg

2017-02-05 18:43:19 UTC

Permalink

Unfortunately, I didn't find any dedicated U2U doc under MS technical
documents.Also, MS-KILE doesn't include any info about U2U
messages/implementation details.
Regarding the rfc, there is a also draft-swift-win2k-krb-user2user*-03* but
its just a minor changes.

For me it feels like they tried to keep it as a part of Kerberos so they
can share the existing code for seal/mic/etc.

I started to add it in the same fashion as IAKERB is added to gssapi_krb5.
it seems that IAKERB is also relying on much of the "original" krb5 mech
code.

--
Idan Freiberg

PGP FP: 8108 7EC9 806E 4980 75F2 72B3 8AD3 2D04 337B 1F18
_______________________________________________
krbdev mailing list ***@mit.edu
https:

Idan Freiberg

2017-02-05 18:48:02 UTC

Permalink

Just to make it clear, the user2user MechToken inside the NegoTokenInit has
the oid from the draft-swift-win2k-krb-user2user rfc draft.

Post by Idan Freiberg
Unfortunately, I didn't find any dedicated U2U doc under MS technical
documents.Also, MS-KILE doesn't include any info about U2U
messages/implementation details.
Regarding the rfc, there is a also draft-swift-win2k-krb-user2user*-03* but
its just a minor changes.
For me it feels like they tried to keep it as a part of Kerberos so they
can share the existing code for seal/mic/etc.
I started to add it in the same fashion as IAKERB is added to gssapi_krb5.
it seems that IAKERB is also relying on much of the "original" krb5 mech
code.

That's a little surprising. Is there any Microsoft documentation on
this u2u mechanism? I wasn't able to find any.
draft-ietf-cat-user2user-02 (which is ancient) gives a different OID for
use with SPNEGO.
--
Idan Freiberg
PGP FP: 8108 7EC9 806E 4980 75F2 72B3 8AD3 2D04 337B 1F18

--
Idan Freiberg

PGP FP: 8108 7EC9 806E 4980 75F2 72B3 8AD3 2D04 337B 1F18
_______________________________________________
krbdev mailing list ***@mit.edu
htt

Idan Freiberg

2017-02-06 06:50:02 UTC

Permalink

It turns out that MS SSPs can support extra mech OIDs and one can get them
through SpGetExtendedInformation
<https://msdn.microsoft.com/en-us/library/windows/desktop/aa380167(v=vs.85).aspx>(SecpkgExtraOids,
...).
I think MS Negotiate package takes in consideration the extra mech OIDs as
well.

Post by Idan Freiberg
Just to make it clear, the user2user MechToken inside the NegoTokenInit
has the oid from the draft-swift-win2k-krb-user2user rfc draft.
Unfortunately, I didn't find any dedicated U2U doc under MS technical
documents.Also, MS-KILE doesn't include any info about U2U
messages/implementation details.
Regarding the rfc, there is a also draft-swift-win2k-krb-user2user*-03* but
its just a minor changes.
For me it feels like they tried to keep it as a part of Kerberos so they
can share the existing code for seal/mic/etc.
I started to add it in the same fashion as IAKERB is added to gssapi_krb5.
it seems that IAKERB is also relying on much of the "original" krb5 mech
code.

That's a little surprising. Is there any Microsoft documentation on
this u2u mechanism? I wasn't able to find any.
draft-ietf-cat-user2user-02 (which is ancient) gives a different OID for
use with SPNEGO.
--
Idan Freiberg
PGP FP: 8108 7EC9 806E 4980 75F2 72B3 8AD3 2D04 337B 1F18
--
Idan Freiberg
PGP FP: 8108 7EC9 806E 4980 75F2 72B3 8AD3 2D04 337B 1F18

--
Idan Freiberg

PGP FP: 8108 7EC9 806E 4980 75F2 72B3 8AD3 2D04 337B 1F18
_______________________________________________
krbdev mailing list ***@mit.e

Continue reading on narkive:

Search results for 'Writing gss mechanism - Kerberos user2user' (Questions and Answers)

replies

Briefly describe the Microsoft's 2000 DNS management?

started 2006-08-17 22:05:37 UTC

computer networking