[38610] in Kerberos
Using ms2mit...risks?
daemon@ATHENA.MIT.EDU (John Devitofranceschi)
Tue Sep 17 08:31:52 2019
From: John Devitofranceschi <foonon@gmail.com>
MIME-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Message-ID: <23833497-2183-42C9-BA10-98A2E337918E@gmail.com>
Date: Tue, 17 Sep 2019 08:31:32 -0400
To: kerberos@mit.edu
Content-Type: multipart/mixed; boundary="===============7548484922733404242=="
Errors-To: kerberos-bounces@mit.edu
--===============7548484922733404242==
Content-Type: multipart/signed;
boundary="Apple-Mail=_EA5632C9-531F-4412-AB2D-3729D4C72EDD";
protocol="application/pkcs7-signature"; micalg=sha-256
--Apple-Mail=_EA5632C9-531F-4412-AB2D-3729D4C72EDD
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=utf-8
What are the risks of using ms2mit to create an API: ccache? What are =
the risks of setting =E2=80=9Callowtgtsessionkey=E2=80=9D to =E2=80=981=E2=
=80=99 in the registry (as KfW does)?
I=E2=80=99m interested in setting up ssh ticket forwarding with PuTTY + =
the MIT gss DLL provided by KfW (4.1) without having to deal with =
setting unconstrained delegation trusts on the target hosts=E2=80=99 AD =
objects. It seems that using Kerberos for Windows with an API: ccache =
allows me to accomplish this, but now I=E2=80=99m concerned that I may =
be opening myself up to potential client-side risks which I will need to =
document and manage somehow.
I=E2=80=99ve searched the mailing list archives about this, but mostly =
the discussions are about getting things to work vs. the potential =
consequences once they do.
Any pointers appreciated.
--Apple-Mail=_EA5632C9-531F-4412-AB2D-3729D4C72EDD
Content-Disposition: attachment; filename="smime.p7s"
Content-Type: application/pkcs7-signature;
name=smime.p7s
Content-Transfer-Encoding: base64
MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCCDc4w
ggZtMIIEVaADAgECAgMC1WowDQYJKoZIhvcNAQELBQAwVDEUMBIGA1UEChMLQ0FjZXJ0IEluYy4x
HjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMg
Um9vdDAeFw0xOTA1MjAxOTI4MjdaFw0yMTA1MTkxOTI4MjdaMIHnMR4wHAYDVQQDExVKb2huIERl
dml0b2ZyYW5jZXNjaGkxITAfBgkqhkiG9w0BCQEWEmpkdmZAb3B0b25saW5lLm5ldDEfMB0GCSqG
SIb3DQEJARYQamR2ZkBob3RtYWlsLmNvbTEfMB0GCSqGSIb3DQEJARYQZm9vbm9uQGdtYWlsLmNv
bTEwMC4GCSqGSIb3DQEJARYham9obi5kZXZpdG9mcmFuY2VzY2hpQG91dGxvb2suY29tMS4wLAYJ
KoZIhvcNAQkBFh9qb2huLmRldml0b2ZyYW5jZXNjaGlAZ21haWwuY29tMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAsawwjYllaRs5qCqpoVf8KPr63Qmd7Hz3ZJyzXI0+OKya1jopvYyP
74ueJ1TaxK1rk/vEfKlFxvJmzFYOTosIA9x1Lgb+7qqvPWqby10wN8f4tHFJ6H2M8fvIQIT/QezV
dMKsHcodFUt4qNcaFCMvyP2PojY80aXMLLkqIqz4VX3BwTYrFgDURJ0uWNy/8a6CEDgCQpjNs+Fh
XrxaGt8BGZbOXaPfUdHIcD6MNJBoSOB0D+npwwp0LOu/+xgZbC1YlpXW7yZfSve7hyLik+S09Tcz
AaWDxRKFbj95TJnQoXt40T6o/gPYJK9UyDc+plckj8G2kGmGR4NUrwMx3RK8dwIDAQABo4IBsjCC
Aa4wDAYDVR0TAQH/BAIwADBWBglghkgBhvhCAQ0ESRZHVG8gZ2V0IHlvdXIgb3duIGNlcnRpZmlj
YXRlIGZvciBGUkVFIGhlYWQgb3ZlciB0byBodHRwOi8vd3d3LkNBY2VydC5vcmcwDgYDVR0PAQH/
BAQDAgOoMEAGA1UdJQQ5MDcGCCsGAQUFBwMEBggrBgEFBQcDAgYKKwYBBAGCNwoDBAYKKwYBBAGC
NwoDAwYJYIZIAYb4QgQBMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL29jc3Au
Y2FjZXJ0Lm9yZzA4BgNVHR8EMTAvMC2gK6AphidodHRwOi8vY3JsLmNhY2VydC5vcmcvY2xhc3Mz
LXJldm9rZS5jcmwwgYUGA1UdEQR+MHyBEmpkdmZAb3B0b25saW5lLm5ldIEQamR2ZkBob3RtYWls
LmNvbYEQZm9vbm9uQGdtYWlsLmNvbYEham9obi5kZXZpdG9mcmFuY2VzY2hpQG91dGxvb2suY29t
gR9qb2huLmRldml0b2ZyYW5jZXNjaGlAZ21haWwuY29tMA0GCSqGSIb3DQEBCwUAA4ICAQBFqN/K
96lx41OKmRiDt6kNKqHRDvFV0WFRevo7n7699Zeqa96NzsH7aSGILPSHgn1Gze3QyhRe18U6CrtB
h/Gl1bPWOsaHWetGsF12ty8Gu1qVBw0EAmKWDkXUpB/4iBsxmiFxnmVzEaj7N9I+T9ORjbm5pkMA
Ntxnhmbm26Xrxp/E1aMh2airT35fN32eMt2jOl4dlXqggnk3uPqBQ3dihGWF9rPjzaw3pPWQJL6J
Mo7/VmnKs+wYiNrircw0/BD7Yrjs+CiE3bQuNgHNv1DDeyKWitinNPSuiJLAuPtS+Fze/dg2PGi6
stbdf5JHCRKa66tWx26RWqtmtstrzFxiKz82bo16SoeJR8oFlEp9wHvVPeFPWmlJ/oBJvY72Ea1N
Xrl32Tz7SMHiyvRxvtausWmLsK3meC5J5iN0yWPNq2mLhNCYLSLJYmXsqGeVZVG9u+dd0IYdx7zy
/Jsx0SY1i2xhJw9ZsCa6M/R1w6IYWF1ADhJiwaiXHAmQlPY/oyQxaVi8Z/m+2QCRkmJYnSszCB58
+kPqxqxX6gI40bvFEEaeFbd+E2hLF41Aqipo481bzNahwrWXe2BdUdbg1Cm+q0/19+1qYNHdMdpc
kfjtT/7iVLLH8PQZ/4ARVoILGCApNcg2asTlpfnmH2I+4pVCotSloE6No6azVmjEnG/xyTCCB1kw
ggVBoAMCAQICAwpBijANBgkqhkiG9w0BAQsFADB5MRAwDgYDVQQKEwdSb290IENBMR4wHAYDVQQL
ExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNBIENlcnQgU2lnbmluZyBBdXRob3Jp
dHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZzAeFw0xMTA1MjMxNzQ4MDJaFw0y
MTA1MjAxNzQ4MDJaMFQxFDASBgNVBAoTC0NBY2VydCBJbmMuMR4wHAYDVQQLExVodHRwOi8vd3d3
LkNBY2VydC5vcmcxHDAaBgNVBAMTE0NBY2VydCBDbGFzcyAzIFJvb3QwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQCrSTURSHzSJn5TlM9Dqd0o10Iqi/OHeBlYfA+e2ol94fvrcpANdKGW
ZKufoCSZc9riVXbHF3v1BKxGuMO+f2SNEGwk82GcwPKQ+lHm9WkBY8MPVuJKQs/iRIwlKKjFeQl9
RrmK8+nzNCkIReQcn8uUBByBqBSzmGXEQ+xOgo0J0b2qW42S0OzekMV/CsLj6+YxWl50PpczWejD
Az1gM7/30W9HxM3uYoNSbi4ImqTZFRiRpoWSR7CuSOtttyHshRpocjWr//AQXcD0lKdq1TuSfkyQ
BX6TwSyLpI5idBVxbgtxA+qvFTia1NIFcm+M+SvrWnIl+TlG43IbPgTDZCciECqKT1inA62+tC4T
7V2qSNfVfdQqe1z6RgRQ5MwOQluM7dvyz/yWk+DbETZUYjQ4jwxgmzuXVjit89Jbi6Bb6k6WuHzX
1aCGcEDTkSm3ojyt9Yy7zxqSiuQ0e8DYbF/pCsLDpyCaWt8sXVJcukfVm+8kKHA4IC/VfynAskED
aJLM4JzMl0tF7zoQCqtwOpiVcK01seqFK6QcgCExqa5geoAmSAC4AcCTY1UikTxW56/bOiXzjzFU
6iaLgVn5odFTEcV7nQP2dBHgbbEsPyyGkZlxmqZ3izRg0RS0LKydr4wQ05/EavhvE/xzWfdmQnQe
iuP43NJvmJzLR5iVQAX76QIDAQABo4ICDTCCAgkwHQYDVR0OBBYEFHWocWBMiBPweNmJd7VtxYnf
vLF6MIGjBgNVHSMEgZswgZiAFBa1MhvUx/Pg5o7zvdKwOu6yORjRoX2kezB5MRAwDgYDVQQKEwdS
b290IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNBIENlcnQg
U2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZ4IBADAP
BgNVHRMBAf8EBTADAQH/MF0GCCsGAQUFBwEBBFEwTzAjBggrBgEFBQcwAYYXaHR0cDovL29jc3Au
Q0FjZXJ0Lm9yZy8wKAYIKwYBBQUHMAKGHGh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZy9jYS5jcnQwSgYD
VR0gBEMwQTA/BggrBgEEAYGQSjAzMDEGCCsGAQUFBwIBFiVodHRwOi8vd3d3LkNBY2VydC5vcmcv
aW5kZXgucGhwP2lkPTEwMDQGCWCGSAGG+EIBCAQnFiVodHRwOi8vd3d3LkNBY2VydC5vcmcvaW5k
ZXgucGhwP2lkPTEwMFAGCWCGSAGG+EIBDQRDFkFUbyBnZXQgeW91ciBvd24gY2VydGlmaWNhdGUg
Zm9yIEZSRUUsIGdvIHRvIGh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZzANBgkqhkiG9w0BAQsFAAOCAgEA
KSiFrkSpua+keRPwqKMrl2DzXO7jL8H24magEa42Nzp2FQRT6kL1+erAFdimgtnkYa5yCylckEPo
QbLhd9sCE0R4R1WvWPzMmPZFudEg+NghB/5tqnPUs8YH6QmFzDvytr4sHCXVcYw5tS7qvhiBurCT
uA/j5tcmjDFacgOEUuam9TMiRQrICw2KuDZvkAmhq73X1U4ucaLUrvqnVCvrNY1at1SIL+50n+1I
FsoNSNCU06ykovYk35LjvetDQJFuHBiOVrSCEvOpk5/UvJytnHXuWpcbled0LRwPsCyXn/upMzl6
5wM6ko4i9owN5Nl+DXYY9wH575aWolVzwDxxtB0aVkO3wwqNcvziEAkLQc6MlKD5A/1xc0uKVzPl
jnR+FQEA5sxKHOd/lRktxaUMi7u17YWzXNPfuLnyyscNARSscFjFjI0z1J1moxpQlSP8SOAGQxLZ
zaeGOS82cqOAEOTh89HLWxrA5ICafBNzBk/bo2skCrqzHLxKeLvl43U4pUinoh6vdtRe9ziGVlqJ
ztbDp3myUqDG8YW0JYzyP5azENmNbFc7n2+GOhiCIjbIsJE42yqhk6qEP/UnZa5z1cjV03fqS53H
QbvHwOOgP+R9pI1z5hJL36Fzc3M6gOjVy44vy+oTp9ZBi6z6PInXJPVOtOBhkrfzN5jEvpajt4ox
ggLNMIICyQIBATBbMFQxFDASBgNVBAoTC0NBY2VydCBJbmMuMR4wHAYDVQQLExVodHRwOi8vd3d3
LkNBY2VydC5vcmcxHDAaBgNVBAMTE0NBY2VydCBDbGFzcyAzIFJvb3QCAwLVajANBglghkgBZQME
AgEFAKCCAUMwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTkwOTE3
MTIzMTMzWjAvBgkqhkiG9w0BCQQxIgQgim0tJqNqysPoHpImNFLp8icwnRupFJVDMkh5tLODsm8w
agYJKwYBBAGCNxAEMV0wWzBUMRQwEgYDVQQKEwtDQWNlcnQgSW5jLjEeMBwGA1UECxMVaHR0cDov
L3d3dy5DQWNlcnQub3JnMRwwGgYDVQQDExNDQWNlcnQgQ2xhc3MgMyBSb290AgMC1WowbAYLKoZI
hvcNAQkQAgsxXaBbMFQxFDASBgNVBAoTC0NBY2VydCBJbmMuMR4wHAYDVQQLExVodHRwOi8vd3d3
LkNBY2VydC5vcmcxHDAaBgNVBAMTE0NBY2VydCBDbGFzcyAzIFJvb3QCAwLVajANBgkqhkiG9w0B
AQEFAASCAQCbWNpzmf6VrClRIB3ctF9tmy+nTYwToNkaFI52mpMUHiYvINPhRR+1YPvtdCcGAAdn
DUI6QnqJRxeVuCs+c3WpsDUtjjrI6SGpuIohFv6Q2izVjT/J0bldWhg5195RfQwxmyhkkgQAURqZ
DCx9p/ge42PrhJwla7nw3fgOD0VrRjMGhQwhAVIqrkdOPOxtNlBXMI5u25J8+bLLlfR9C+k+x+g2
lGbuuXvoWzXOgcggrJuEUD6ILXPwUImIBpK1C6NSDU68upjDOlNixIrLi0GDbmFR4Hr+AdCv3l8X
WlXi0oRs52ATBWGpM+D7B27aC9GvPg6KKTS/FTr+sZEFaRbKAAAAAAAA
--Apple-Mail=_EA5632C9-531F-4412-AB2D-3729D4C72EDD--
--===============7548484922733404242==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--===============7548484922733404242==--
