Projects/KDC TGS Policy plugin

This is an early stage project for MIT Kerberos. It is being fleshed out by its proponents. Feel free to help flesh out the details of this project. After the project is ready, it will be presented for review and approval.

This project implements a plugin interface for the KDC to enable modifying server ticket attributes based on the Pre-authentication indicator.

Problem

As an administrator I would like to be able to define the lifetime or other attributes of a service ticket based on the strength of the pre-authentication used. We have high value services that require 2FA and as an added precaution we want to ensure that these service tickets have a shorter lifetime/renew time, or a stronger session key type than the standard Kerberos ticket policy.

For example:

User A got TGT with password authentication, asks for a TGS for service fileserver@REALM; returned ticket has a 30 minute lifetime
User B got TGT with 2FA authentication, asks for a TGS for service fileserver@REALM; returned ticket has a 2 hour lifetime
User C got TGT with PKINIT, asks for a TGS for service fileserver@REALM; returned ticket has a 8 hour lifetime

Design

A plugin interface used during process_tgs_req(), separately from the KDB check_policy_tgs, that will accept an indicator and server entry and output a ticket lifetime (renew time?) and/or session key etype. The resulting ticket lifetime can be no longer than the entry max_life (or header ticket lifetime) and the etype can be no weaker than the normally allowed etype.

Open questions and Misc

- http://mailman.mit.edu/pipermail/krbdev/2016-September/012664.html

Projects/KDC TGS Policy plugin

Problem

Design

Open questions and Misc

Navigation menu

Views

Personal tools

Navigation

Search

Tools