logo_kerberos.gif

Difference between revisions of "Projects/Anonymous pkinit"

From K5Wiki
Jump to: navigation, search
(New page: {{project-early}} The ''Anonymous Pkinit'' project is an implementation of anonymous pkinit from {{idref|draft-ietf-krb-wg-anon-10}}. This project allows users to obtain Kerberos tickets...)
 
(update progress)
Line 57: Line 57:
   
 
* Extend transited realm checking to deal with anonymous principals
 
* Extend transited realm checking to deal with anonymous principals
* Add GIC support for obtaining anonymous principals
+
* Add GIC support for obtaining anonymous principals if the anonymous principal is the client
* Add convenience API for obtaining anonymous principals
+
   
 
== GSS-API Changes ==
 
== GSS-API Changes ==
   
 
* Display the anonymous principal name as GSS_NT_ANONYMOUS
 
* Display the anonymous principal name as GSS_NT_ANONYMOUS
* Add support for obtaining anonymous credentials and anonymous context establishment
 
  +
* In this version GSS-API will be able to use existing anonymous credentials but will not be able to obtain credentials on its own. The main problem with obtaining credentials is selection of a realm to contact.
   
 
== Kadmin Changes ==
 
== Kadmin Changes ==
   
 
* Add command line flag for requesting anonymous credentials
 
* Add command line flag for requesting anonymous credentials
* confirm ACL handling can work with anonymous
+
* ACL handling requires no changes
  +
  +
== Still Todo ==
  +
  +
* Handle session key derivation
  +
* Handle transited policy checking
  +
* Kadmin deals poorly with the realm changing from what is requested
  +
* Kadmin command line flag

Revision as of 15:51, 21 December 2009

This is an early stage project for MIT Kerberos. It is being fleshed out by its proponents. Feel free to help flesh out the details of this project. After the project is ready, it will be presented for review and approval.


The Anonymous Pkinit project is an implementation of anonymous pkinit from draft-ietf-krb-wg-anon-10. This project allows users to obtain Kerberos tickets even if they have no principal registered in a realm. Use cases include hiding identity of a user for privacy, using FAST without registering a host, or automated registration of hosts.

Functional Requirements

anonymous tickets are tickets with a special well-known realm and principal name for the client principal. This principal will never appear in the service principal. The primary use case that motivates this project now is support for using anonymous tickets in host registration. That means that kadmin needs to support anonymous tickets and that kadmind needs to be able to ACL operations to anonymous principals.

The anonymous draft makes it optional whether KDCs are required to have certificates when anonymous pkinit is used. However if KDCs do not have certificates, authentication of KDCs becomes complicated. FAST permits an anonymous ticket corresponding to an unauthenticated KDC to be used in some circumstances. However authentication state needs to be maintained because some fast factors should not be used with an unauthenticated KDC. Most other uses of Kerberos are not appropriate with an anonymous KDC. So, implementing unauthenticated KDCs introduces significant code and policy complexity. It will not be included in this project but may be added in the future. Instead, for this project, we will implement support for anonymous clients using the traditional pkinit certificate verification rules.

The following is required:

  • Administrative configuration to permit a realm to issue anonymous tickets
  • API for requesting anonymous tickets
  • Command line switches for kadmin and kinit
  • GSS-API changes to support anonymous name type

Confirming Client and KDC Contribution

The anonymous draft requires that the client confirm that both the client and KDC contributed to the TGS session key. In draft 10 this is accomplished by including a KDC contribution key and confirming that the TGS session key is the combination of the KDC contribution key and the reply key. Discussion in the working group may simplify this procedure somewhat.

Regardless, the KDC does not currently have a mechanism for a pre-authentication plugin to influence the session key that is chosen. There are two approaches:

  • Add support for this behavior to the main body of the KDC
  • Add support for a more general mechanism for plugins to frob the session key

While the first approach does involve the main body of the KDC learning a bit about anonymous pkinit, it is probably desirable because it will be less complex and because it will avoid other plugins affecting critical security parameters.

KDC Changes

  • Implement authorization data minimization for anonymous requests
  • Add support for anonymous principal
  • Add config option to enable anonymous for a realm
  • Handle session key derivation

Pkinit Changes

  • Detect when anonymous is being used in the client and do not require key or sign the request
  • Verify session key form
  • KDC side: if anonymous tickets are requested don't require signed data to be signed
  • Give KDC information it needs to construct session key

Library Changes

  • Extend transited realm checking to deal with anonymous principals
  • Add GIC support for obtaining anonymous principals if the anonymous principal is the client


GSS-API Changes

  • Display the anonymous principal name as GSS_NT_ANONYMOUS
  • In this version GSS-API will be able to use existing anonymous credentials but will not be able to obtain credentials on its own. The main problem with obtaining credentials is selection of a realm to contact.

Kadmin Changes

  • Add command line flag for requesting anonymous credentials
  • ACL handling requires no changes

Still Todo

  • Handle session key derivation
  • Handle transited policy checking
  • Kadmin deals poorly with the realm changing from what is requested
  • Kadmin command line flag