[37052] in Kerberos
Re: Differentiate the ServiceTicket issued from Kinit vs PKinit
daemon@ATHENA.MIT.EDU (Jim Shi)
Wed Jun 3 00:32:16 2015
MIME-version: 1.0 (Mac OS X Mail 8.2 \(2098\))
From: Jim Shi <hanmao_shi@apple.com>
In-reply-to: <1433299000.3020.13.camel@willson.usersys.redhat.com>
Date: Tue, 02 Jun 2015 21:29:45 -0700
Message-id: <2E336DDC-0111-4BF1-83BC-3668E2910D10@apple.com>
To: Simo Sorce <simo@redhat.com>
Cc: Aravind Jerubandi <aravind.jerubandi@gmail.com>,
Ken Hornstein <kenh@cmf.nrl.navy.mil>, kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
>> We sort-of do this, but it may not directly be applicable.
>>
>> Our KDC-side PKINIT module will set HW-AUTH flag on the TGT _if_ a particular
>> policy OID is found in the client certificate (in our case, the policy
>> OID we check for is if the certificate comes from a smartcard, so the
>> use of HW-AUTH is appropriate). Flags set in a TGT get propagated to
>> service tickets, so we have code on application servers that checks to see
>> if the HW-AUTH flag exists for service tickets to make authorization
>> decisions.
Hi, Simo,
Does this require to modify MIT KDC source code?
Thanks
Jim
> On Jun 2, 2015, at 7:36 PM, Simo Sorce <simo@redhat.com> wrote:
>
> On Tue, 2015-06-02 at 21:11 -0400, Ken Hornstein wrote:
>>> Today we use password based authentication (kinit). And we want to
>>> introduce PKinit. But while validating ServiceTicket we would like to know
>>> if the service ticket issued through Kinit to PKinit
>>>
>>> Is there a way to find this?
>>
>> We sort-of do this, but it may not directly be applicable.
>>
>> Our KDC-side PKINIT module will set HW-AUTH flag on the TGT _if_ a particular
>> policy OID is found in the client certificate (in our case, the policy
>> OID we check for is if the certificate comes from a smartcard, so the
>> use of HW-AUTH is appropriate). Flags set in a TGT get propagated to
>> service tickets, so we have code on application servers that checks to see
>> if the HW-AUTH flag exists for service tickets to make authorization
>> decisions.
>>
>> So, you could do that (if your client-side certificates is issued from
>> a hardware device), or overload the HW-AUTH flag. Checking that on the
>> application server side is easy.
>>
>> But ... if you don't want to do that, you MAY be able to check the service
>> ticket for the AD_INITIAL_VERIFIED_CAS authorization data (although a quick
>> glance suggests to me that MIT Kerberos doesn't generate that data, but
>> I could be wrong about that). That would require further investigation.
>
> There is work to actually provide this kind of information here:
> https://tools.ietf.org/html/draft-ietf-kitten-krb-auth-indicator-00
>
> Hopefully this will be approved soon, implementation is underway.
>
> Simo.
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
