From K5Wiki
< Projects
Revision as of 16:36, 23 October 2009 by Lukeh (talk | contribs) (Architecture)

Jump to: navigation, search
This is an early stage project for MIT Kerberos. It is being fleshed out by its proponents. Feel free to help flesh out the details of this project. After the project is ready, it will be presented for review and approval.


Whilst we've had constrained delegation support in the KDC since 1.7, it has required a proprietary backend that supports validating the Windows PAC. This project provides a constrained delegation implementation that works without this requirement.


In constrained delegation, the service passes the KDC a ticket from a user it has authenticated. This "evidence" ticket is placed in the additional tickets field of the TGS-REQ: there is nothing preventing the service from forging this, because it knows its long-term key. To avoid this attack, Windows takes advantage of the fact the PAC is signed with the TGS long-term key: in the constrained delegation case, this is verified before proceeding.

Heimdal implements PAC-less constrained delegation by including an authorization data element containing a checksum over the client, authtime and delegation path with the TGS key. The ASN.1 encoding of this element is described below:


KRB5SignedPathPrincipals ::= SEQUENCE OF Principal

 -- never encoded on the wire, just used to checksum over
KRB5SignedPathData ::= SEQUENCE {
           client[0]       Principal OPTIONAL,
           authtime[1]     KerberosTime,
           delegated[2]    Principals OPTIONAL,
           method_data[3]  METHOD-DATA OPTIONAL

KRB5SignedPath ::= SEQUENCE {
         -- DERcoded KRB5SignedPathData
         -- krbtgt key (etype), KeyUsage = XXX
         etype[0]        ENCTYPE,
         cksum[1]        Checksum,
         -- srvs delegated though
         delegated[2]    Principals OPTIONAL,
         method_data[3]  METHOD-DATA OPTIONAL

The checksum is over KRB5SignedPathData. KRB5SignedPath is wrapped in AD-IF-RELEVANT, because it does not need to be understood by application servers.



New types and encoders are added for the delegation path. There is no decoder for the delegation path data, because it is not sent over the wire.

typedef struct _krb5_ad_signedpath_data {
    krb5_enc_tkt_part enc_tkt_part;
    krb5_transited_service **delegated;
} krb5_ad_signedpath_data;

typedef struct _krb5_ad_signedpath {
    krb5_enctype enctype;
    krb5_checksum checksum;
    krb5_transited_service **delegated;
} krb5_ad_signedpath;

Note: krb5_ad_signedpath_data represents data to be checksummed, krb5_ad_signedpath is what is actually encoded and sent on the wire. The enctype field in the latter is a hint to which TGS key to use, but presently this is unused in our implementation.

Constants are added for the signed path AD type and the checksum key usage:

#define KRB5_KEYUSAGE_AD_SIGNEDPATH            -21

I have kept this aligned with Heimdal so that, when using the HDB bridge, a mixed realm of Heimdal and MIT KDCs should interoperate with constrained delegation.

The new API krb5int_get_authdata_containee_types() is added to return the authorization data types within an authdata container without completely decoding it.


Note: some changes were imported from the HDBBridge branch to speed implementation.

Changes are briefly summarised as follows:

  • We now correctly filter out known KDC issued AD elements when copying authorization data from the TGT. (This uses the krb5int_get_authdata_containee_types() API above.)
  • Because of the above fix, we can now separate the copying of TGT authdata from the propagation of KDB authdata. We previously relied on the backend to do this.
  • A new authdata handler, handle_signedpath_authdata(), is added, which supports the verification and generation of the signed data path.
  • The merge_authdata() internal API now takes an additional argument denoting whether KDC issued authdata we recognise should be omitted.
  • The greet_server authdata plugin has been updated.



We provide a CHECK_ALLOWED_TO_DELEGATE db_invoke callback for the LDAP backend that authorizes that target service against the krbAllowedToDelegateTo attribute. There is no support for administrating this attribute via kadmin, or for the DB2 backend.

Open issues

  • What is the interaction of the ticket checksumming with FAST?


Code is in the users/lhoward/s4u2proxy branch.