logo_kerberos.gif

Difference between revisions of "Projects/SignedPathNamingExts"

From K5Wiki
Jump to: navigation, search
(Status)
 
Line 21: Line 21:
 
==Status==
 
==Status==
   
Code is in the [http://src.mit.edu/fisheye/browse/krb5/users/lhoward/iakerb users/lhoward/signedpath-naming-exts branch].
+
Code is in the [http://src.mit.edu/fisheye/browse/krb5/users/lhoward/signedpath-naming-exts users/lhoward/signedpath-naming-exts branch].

Latest revision as of 05:57, 9 May 2010

This project was completed in release 1.9.


Background

Implement a mechanism for exposing the constrained delegation path via GSS naming extensions.

Architecture

Implementation

A new authorization data naming extensions backend is added in src/lib/krb5/krb/s4u_authdata.c. This maps the "delegated" member of krb5_ad_signedpath (KRB5_AUTHDATA_SIGNTICKET) to the urn:constrained-delegation:transited-services attribute.

No support for the transited services encoding in [MS-PAC] is yet provided, because that would require an NDR interpreter within the krb5 runtime. This would be more suitably implemented as a third-party plugin.

Open issues

It's impossible to mark this attribute as authenticated because the delegation path is signed with the TGS key, which the GSS acceptor does not have. A KDC that supports KRB5_AUTHDATA_SIGNTICKET will reject such user-submitted authorization data, but the acceptor has no in-band knowledge of what kind of KDC issued the ticket.

Interestingly this would not be an issue with the [MS-PAC] delegation path, because it is also signed with the acceptor key.

Status

Code is in the users/lhoward/signedpath-naming-exts branch.