[37058] in Kerberos
Re: Differentiate the ServiceTicket issued from Kinit vs PKinit
daemon@ATHENA.MIT.EDU (Aravind Jerubandi)
Wed Jun 3 12:03:02 2015
MIME-Version: 1.0
In-Reply-To: <201506030111.t531B7OL017264@hedwig.cmf.nrl.navy.mil>
Date: Tue, 2 Jun 2015 23:20:23 -0700
Message-ID: <CAFiFpnnHTYGEpRGFOO2PUJ6g9gf8L9DvmXj9idU3esdwu_hbEA@mail.gmail.com>
From: Aravind Jerubandi <aravind.jerubandi@gmail.com>
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi Ken,
Thanks for your response. This really helps.
*Our KDC-side PKINIT module will set HW-AUTH flag on the TGT _if_ a
particular policy OID is found in the client certificate (in our
case, the policy OID we check for is if the certificate comes from
a smartcard, so the use of HW-AUTH is appropriate). *
Does this mean the client certificate should have the policy :
1.3.6.1.4.1.311.20.2.2
(Smart Card Logon)?
Is it only the client certificate or CA cert should also have this policy?
On Tue, Jun 2, 2015 at 6:11 PM, Ken Hornstein <kenh@cmf.nrl.navy.mil> wrote:
> > Today we use password based authentication (kinit). And we want to
> > introduce PKinit. But while validating ServiceTicket we would like to
> know
> > if the service ticket issued through Kinit to PKinit
> >
> > Is there a way to find this?
>
> We sort-of do this, but it may not directly be applicable.
>
> Our KDC-side PKINIT module will set HW-AUTH flag on the TGT _if_ a
> particular
> policy OID is found in the client certificate (in our case, the policy
> OID we check for is if the certificate comes from a smartcard, so the
> use of HW-AUTH is appropriate). Flags set in a TGT get propagated to
> service tickets, so we have code on application servers that checks to see
> if the HW-AUTH flag exists for service tickets to make authorization
> decisions.
>
> So, you could do that (if your client-side certificates is issued from
> a hardware device), or overload the HW-AUTH flag. Checking that on the
> application server side is easy.
>
> But ... if you don't want to do that, you MAY be able to check the service
> ticket for the AD_INITIAL_VERIFIED_CAS authorization data (although a quick
> glance suggests to me that MIT Kerberos doesn't generate that data, but
> I could be wrong about that). That would require further investigation.
>
> --Ken
>
--
Thanks & Regards,
J.Aravind
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
