logo_kerberos.gif

Projects/Anonymous pkinit

From K5Wiki
< Projects(Difference between revisions)
Jump to: navigation, search
(update progress)
(updates based on what was done)
Line 1: Line 1:
{{project-early}}
+
{{project-review|01/11/2010}}
   
 
The ''Anonymous Pkinit'' project is an implementation of anonymous pkinit from {{idref|draft-ietf-krb-wg-anon-10}}. This project allows users to obtain Kerberos tickets even if they have no principal registered in a realm. Use cases include hiding identity of a user for privacy, using [[Projects/FAST|FAST]] without registering a host, or automated registration of hosts.
 
The ''Anonymous Pkinit'' project is an implementation of anonymous pkinit from {{idref|draft-ietf-krb-wg-anon-10}}. This project allows users to obtain Kerberos tickets even if they have no principal registered in a realm. Use cases include hiding identity of a user for privacy, using [[Projects/FAST|FAST]] without registering a host, or automated registration of hosts.
Line 31: Line 31:
 
is accomplished by including a KDC contribution key and confirming
 
is accomplished by including a KDC contribution key and confirming
 
that the TGS session key is the combination of the KDC contribution
 
that the TGS session key is the combination of the KDC contribution
key and the reply key. Discussion in the working group may simplify
+
key and the reply key. This mechanism has been implemented.
this procedure somewhat.
 
   
Regardless, the KDC does not currently have a mechanism for a pre-authentication plugin to influence the session key that is chosen.
 
There are two approaches:
 
* Add support for this behavior to the main body of the KDC
 
* Add support for a more general mechanism for plugins to frob the session key
 
 
While the first approach does involve the main body of the KDC learning a bit about anonymous pkinit, it is probably desirable because it will be less complex and because it will avoid other plugins affecting critical security parameters.
 
   
 
== KDC Changes ==
 
== KDC Changes ==
   
* Implement authorization data minimization for anonymous requests
+
=== Authorization data minimization ===
* Add support for anonymous principal
+
* Add config option to enable anonymous for a realm
+
A new flag on authdata plugins is added to indicate that the plugin
* Handle session key derivation
+
supports anonymous processing. This flag is only set on the plugin
  +
that copies TGT authorization data and the one that copies request
  +
authorization data. Other plugins are skipped in anonymous mode.
  +
  +
=== Session keys ===
  +
  +
The KDC chooses the session key before pre-authentication plugins are
  +
given a chance to run. A pre-authentication plugin can change the
  +
session key although if the session key has already been used this may
  +
cause trouble. The only case where a pre-authentication plugin is
  +
likely to use the session key is when generating authorization data to
  +
be included in an issued ticket. If a PAC or AD-KDC-ISSUED element is
  +
generated then it is likely that the session key will be used.
  +
However anonymous processing trims out authorization data so this is
  +
not an issue for anonymous. Also, the preauth framework on the KDC
  +
side runs plugins that may replace the reply key before other plugins
  +
so pkinit will always be the first preauth successful plugin when it
  +
succeeds.
  +
  +
The pkinit plugin generates a PA_PKINIT_KX padata item so that the client can confirm both parties contributed to the session key.
  +
  +
=== Enabling anonymous ===
  +
  +
If the <tt>WELLKNOWN/ANONYMOUS@REALM</tt> principal exists then anonymous authentication is supported. No special considerations are made to prohibit changing the password of this principal. As a result, it may be possible for an attacker to change the password of this principal and perform anonymous authentication without actually using pkinit.
   
 
== Pkinit Changes ==
 
== Pkinit Changes ==
   
 
* Detect when anonymous is being used in the client and do not require key or sign the request
 
* Detect when anonymous is being used in the client and do not require key or sign the request
* Verify session key form
 
 
* KDC side: if anonymous tickets are requested don't require signed data to be signed
 
* KDC side: if anonymous tickets are requested don't require signed data to be signed
* Give KDC information it needs to construct session key
+
 
== Library Changes ==
 
== Library Changes ==
   
 
* Extend transited realm checking to deal with anonymous principals
 
* Extend transited realm checking to deal with anonymous principals
 
* Add GIC support for obtaining anonymous principals if the anonymous principal is the client
 
* Add GIC support for obtaining anonymous principals if the anonymous principal is the client
  +
  +
A new API, krb5_get_init_creds_opt_set_anonymous is added to set the
  +
anonymous option. If this is turned on, then principals of the form
  +
<tt>@<i>REALM</i></tt> are mapped to the wellknown principal in a
  +
realm. In addition, <tt>WELLKNOWN/ANONYMOUS@<i>REALM</i></tt> is
  +
always treated as an anonymous authentication.
  +
  +
The canonicalization logic is expanded to permit any realm to be mapped to the anonymous realm when fully anonymous authentication is in use.
   
   
Line 68: Line 69:
 
* Add command line flag for requesting anonymous credentials
 
* Add command line flag for requesting anonymous credentials
 
* ACL handling requires no changes
 
* ACL handling requires no changes
 
== Still Todo ==
 
 
* Handle session key derivation
 
* Handle transited policy checking
 
* Kadmin deals poorly with the realm changing from what is requested
 
* Kadmin command line flag
 

Revision as of 15:40, 4 January 2010

An announcement has been sent to krbdev@mit.edu starting a review of this project. That review will conclude on 01/11/2010.

Comments can be sent to krbdev@mit.edu.


The Anonymous Pkinit project is an implementation of anonymous pkinit from draft-ietf-krb-wg-anon-10. This project allows users to obtain Kerberos tickets even if they have no principal registered in a realm. Use cases include hiding identity of a user for privacy, using FAST without registering a host, or automated registration of hosts.

Contents

Functional Requirements

anonymous tickets are tickets with a special well-known realm and principal name for the client principal. This principal will never appear in the service principal. The primary use case that motivates this project now is support for using anonymous tickets in host registration. That means that kadmin needs to support anonymous tickets and that kadmind needs to be able to ACL operations to anonymous principals.

The anonymous draft makes it optional whether KDCs are required to have certificates when anonymous pkinit is used. However if KDCs do not have certificates, authentication of KDCs becomes complicated. FAST permits an anonymous ticket corresponding to an unauthenticated KDC to be used in some circumstances. However authentication state needs to be maintained because some fast factors should not be used with an unauthenticated KDC. Most other uses of Kerberos are not appropriate with an anonymous KDC. So, implementing unauthenticated KDCs introduces significant code and policy complexity. It will not be included in this project but may be added in the future. Instead, for this project, we will implement support for anonymous clients using the traditional pkinit certificate verification rules.

The following is required:

  • Administrative configuration to permit a realm to issue anonymous tickets
  • API for requesting anonymous tickets
  • Command line switches for kadmin and kinit
  • GSS-API changes to support anonymous name type

Confirming Client and KDC Contribution

The anonymous draft requires that the client confirm that both the client and KDC contributed to the TGS session key. In draft 10 this is accomplished by including a KDC contribution key and confirming that the TGS session key is the combination of the KDC contribution key and the reply key. This mechanism has been implemented.


KDC Changes

Authorization data minimization

A new flag on authdata plugins is added to indicate that the plugin supports anonymous processing. This flag is only set on the plugin that copies TGT authorization data and the one that copies request authorization data. Other plugins are skipped in anonymous mode.

Session keys

The KDC chooses the session key before pre-authentication plugins are given a chance to run. A pre-authentication plugin can change the session key although if the session key has already been used this may cause trouble. The only case where a pre-authentication plugin is likely to use the session key is when generating authorization data to be included in an issued ticket. If a PAC or AD-KDC-ISSUED element is generated then it is likely that the session key will be used. However anonymous processing trims out authorization data so this is not an issue for anonymous. Also, the preauth framework on the KDC side runs plugins that may replace the reply key before other plugins so pkinit will always be the first preauth successful plugin when it succeeds.

The pkinit plugin generates a PA_PKINIT_KX padata item so that the client can confirm both parties contributed to the session key.

Enabling anonymous

If the WELLKNOWN/ANONYMOUS@REALM principal exists then anonymous authentication is supported. No special considerations are made to prohibit changing the password of this principal. As a result, it may be possible for an attacker to change the password of this principal and perform anonymous authentication without actually using pkinit.

Pkinit Changes

  • Detect when anonymous is being used in the client and do not require key or sign the request
  • KDC side: if anonymous tickets are requested don't require signed data to be signed

Library Changes

  • Extend transited realm checking to deal with anonymous principals
  • Add GIC support for obtaining anonymous principals if the anonymous principal is the client

A new API, krb5_get_init_creds_opt_set_anonymous is added to set the anonymous option. If this is turned on, then principals of the form @REALM are mapped to the wellknown principal in a realm. In addition, WELLKNOWN/ANONYMOUS@REALM is always treated as an anonymous authentication.

The canonicalization logic is expanded to permit any realm to be mapped to the anonymous realm when fully anonymous authentication is in use.


GSS-API Changes

  • Display the anonymous principal name as GSS_NT_ANONYMOUS
  • In this version GSS-API will be able to use existing anonymous credentials but will not be able to obtain credentials on its own. The main problem with obtaining credentials is selection of a realm to contact.

Kadmin Changes

  • Add command line flag for requesting anonymous credentials
  • ACL handling requires no changes
Personal tools