The Anonymous Pkinit project is an implementation of anonymous pkinit from draft-ietf-krb-wg-anon-10. This project allows users to obtain Kerberos tickets even if they have no principal registered in a realm. Use cases include hiding identity of a user for privacy, using FAST without registering a host, or automated registration of hosts.
anonymous tickets are tickets with a special well-known realm and principal name for the client principal. This principal will never appear in the service principal. The primary use case that motivates this project now is support for using anonymous tickets in host registration. That means that kadmin needs to support anonymous tickets and that kadmind needs to be able to ACL operations to anonymous principals.
The anonymous draft makes it optional whether KDCs are required to have certificates when anonymous pkinit is used. However if KDCs do not have certificates, authentication of KDCs becomes complicated. FAST permits an anonymous ticket corresponding to an unauthenticated KDC to be used in some circumstances. However authentication state needs to be maintained because some fast factors should not be used with an unauthenticated KDC. Most other uses of Kerberos are not appropriate with an anonymous KDC. So, implementing unauthenticated KDCs introduces significant code and policy complexity. It will not be included in this project but may be added in the future. Instead, for this project, we will implement support for anonymous clients using the traditional pkinit certificate verification rules.
The following is required:
- Administrative configuration to permit a realm to issue anonymous tickets
- API for requesting anonymous tickets
- Command line switches for kadmin and kinit
- GSS-API changes to support anonymous name type
Confirming Client and KDC Contribution
The anonymous draft requires that the client confirm that both the client and KDC contributed to the TGS session key. In draft 10 this is accomplished by including a KDC contribution key and confirming that the TGS session key is the combination of the KDC contribution key and the reply key. Discussion in the working group may simplify this procedure somewhat.
Regardless, the KDC does not currently have a mechanism for a pre-authentication plugin to influence the session key that is chosen. There are two approaches:
- Add support for this behavior to the main body of the KDC
- Add support for a more general mechanism for plugins to frob the session key
While the first approach does involve the main body of the KDC learning a bit about anonymous pkinit, it is probably desirable because it will be less complex and because it will avoid other plugins affecting critical security parameters.
- Implement authorization data minimization for anonymous requests
- Add support for anonymous principal
- Add config option to enable anonymous for a realm
- Handle session key derivation
- Detect when anonymous is being used in the client and do not require key or sign the request
- Verify session key form
- KDC side: if anonymous tickets are requested don't require signed data to be signed
- Give KDC information it needs to construct session key
- Extend transited realm checking to deal with anonymous principals
- Add GIC support for obtaining anonymous principals if the anonymous principal is the client
- Display the anonymous principal name as GSS_NT_ANONYMOUS
- In this version GSS-API will be able to use existing anonymous credentials but will not be able to obtain credentials on its own. The main problem with obtaining credentials is selection of a realm to contact.
- Add command line flag for requesting anonymous credentials
- ACL handling requires no changes
- Handle session key derivation
- Handle transited policy checking
- Kadmin deals poorly with the realm changing from what is requested
- Kadmin command line flag