[16715] in Kerberos_V5_Development
Re: Automatically randomizing principal keys (in preauth plugin)
daemon@ATHENA.MIT.EDU (Greg Hudson)
Wed Mar 23 13:42:19 2011
From: Greg Hudson <ghudson@mit.edu>
To: Yair Yarom <irush@cs.huji.ac.il>
In-Reply-To: <x8q7hbqcawx.fsf@mantis.cs.huji.ac.il>
Date: Wed, 23 Mar 2011 13:42:14 -0400
Message-ID: <1300902134.2337.21.camel@t410>
Mime-Version: 1.0
Cc: "krbdev@mit.edu" <krbdev@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On Wed, 2011-03-23 at 07:51 -0400, Yair Yarom wrote:
> 1. Have the preauth plugin check if there's a key available, and if not
> create a random one and insert it into the database. Is this
> possible? If so how and where in the plugin should I do it?
I think it's possible, just by making krb5_db_* calls in the verify_proc
with the provided context. It doesn't seem very clean, but I can't
think of a reason why it wouldn't work.
> 2. Have all users have the same static (random) key. Here the question
> is how insecure is it? i.e. I force the use of my preauth plugin as
> it's the only one installed that provides HW authentication
> (allegedly). So is this key actually used anywhere?
I think you'd want to set the KRB5_KDB_DISALLOW_SVR flag on the user
principals so people couldn't print service tickets for them. Beyond
that, I can't think of a risk, although that doesn't mean there isn't a
risk.
> Any other suggestion would be appreciated.
Depending on your deployment requirements, it might be possible to alter
the KDC to allow principals with no keys. I think we would need to
create a new preauth plugin flag for "I don't need an input reply key"
to avoid incompatibilities with existing plugins.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
