[39585] in Kerberos
interested in discussing some Kerberos improvements
daemon@ATHENA.MIT.EDU (Geoffrey Thorpe)
Fri Mar 20 23:13:34 2026
MIME-Version: 1.0
From: Geoffrey Thorpe <geoff@geoffthorpe.net>
Date: Fri, 20 Mar 2026 23:12:56 -0400
Message-ID: <CAH2n15zygW0KP4p5m+5JD40Js_QFbG-t45jGhHtABsZoDXSnCw@mail.gmail.com>
To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi there
I wasn't sure if this was more suited to the krbdev list, but I decided to
start here first. Please advise if this belongs elsewhere.
In a former life, I worked with some folks involved in the heimdal project
and I have built up a project on top of some interesting heimdal
developments. However heimdal does not seem to be getting much love anymore
and I would like to migrate all this to MIT kerberos, if possible. The
project is "HCP", which stands for Host Cryptographic Provisioning.
https://github.com/geoffthorpe/newhcp
The project's initial goal/feature is to use TPMs (including orchestration
of software TPM instances, where appropriate) to provide an
enrollment-based attestation framework. A second goal/feature is to provide
container-based tooling to automate the bring-up and networking of a sample
"fleet" of hosts, including the attestation services and some sample
hosts/workloads whose credentials are bootstrapped and maintained over time
using the attestation framework.
Then there's the third goal/feature - a workflow demonstrating
Kerberos-based services and clients, where all orchestration is PKI-based
(distributed via the attestation framework). I.e. where there's no need to
maintain user and service principals on the KDCs, that's the point. This
also assumes that both the PKI and kerberos layers rotate keys/versions
over time. The currently-implemented workflow demonstrates ssh and nfsv4
running on top of the kerberos layer.
More here on the kerberos specifics;
https://github.com/geoffthorpe/newhcp/blob/main/doc/stateless-kdc.md
Among the things that I'm currently depending on in heimdal that might be
different or missing in the MIT codebase are;
* "namespace principals" - these are essentially wildcard principals
registered with the KDC that support a derivation mechanism for determining
the service keys for any given principal within the namespace scope and for
any given time (the kvno is determined from the time). I.e. no need to
register service principals with the KDC, just a small set of namespace
principals that encompass the FQDNs of all expected service principals.
* "synthetic principals" - this is the capability of the KDC to issue TGTs
for arbitrary principals, as extracted from the x509v3 certificate used in
pkinit.
* a persistent, PKI-based kinit - i.e. where an instance of kinit ("kinit
-C" in heimdal) will automatically renegotiate and update tickets over time
to respect the key-rotiation period, and will reread the x509v3 cred each
time (so that any updates to the local PKI cred also get picked up).
* a "kadmin ext_keytab" enhancement that supports namespace principals.
I.e. at any given time, it will export a keytab with the kvnos that
are currently relevant (including any kvnos that might still be in
circulation and valid, as well as any kvnos that are going to become valid
within a configurable window of time).
I first took a brief look at migrating this whole system and workflow over
to MIT kerberos some time ago, and I very quickly hit the skids. I've had
to shelve that for a while but I'm keen to try again. I'm wondering if
anyone with more familiarity with the MIT tools and code might be
interested in collaborating?
Feedback welcome, thanks,
Geoff
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
