[39510] in Kerberos
IAKERB Starter Credentials Solution
daemon@ATHENA.MIT.EDU (Michael B Allen)
Sat Apr 26 10:39:31 2025
MIME-Version: 1.0
From: Michael B Allen <ioplex@gmail.com>
Date: Sat, 26 Apr 2025 10:39:02 -0400
Message-ID: <CAGMFw4jy=ceiETpLu9Aa1W0TYnjHedW3DMx7fss4XFrD-HzN=w@mail.gmail.com>
To: kerberos <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
I'm drilling down into IAKERB right now and I had a thought ...
Unlike regular Kerberos where the initiator has a ticket from the ccache
already acquired in a separate authentication step, IAKERB needs "starter"
credentials like a principal name and plaintext password.
So how does an IAKERB initiator get the client principal name and password?
One method might be to invoke a callback from within gss_init_sec_context
that would trigger the user to be prompted for plaintext creds.
While this is closer to what I think is ideal, in practice, the
implementation is non-trivial.
Another method would be to modify kinit to optionally authenticate with an
IAKERB-aware service and cache the resulting TGT in the usual way.
More specifically, add an option to krb5.conf like:
[libdefaults]
iakerb_idp = https://idp1.mega.corp/do/iakerb
Now run kinit as usual which uses the supplied plaintext creds to do
Negotiate auth with the specified URL and stuff the acquired TGT into the
ccache.
Now IAKERB can init elsewhere without starter creds or problematic
prompting.
Although, the current MIT Kerberos code is not quite right for this because
it seems SPENGO can't use IAKERB as a submech and there would need to be a
callback in iakerb_gss_init_sec_context to reach back into kinit and pickup
the plaintext creds.
Mike
--
Michael B Allen
Java AD DS Integration
https://www.ioplex.com/ <http://www.ioplex.com/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
