On 1/7/19 7:31 PM, Russ Allbery wrote:
If you want to go down this path, I would take a look at PKINIT, which replaces the initial authentication request using a password-derived key with X.509 mutual authentication.
I'll definitely be taking a look at PKINIT, SPAKE, HTTPS proxy, and OTP as they relate to Kerberos.
I want to understand what they are, what they do, and how they do it from a high level. That way I can make a (somewhat) informed decision if I want to integrate them into my sandbox / lab / scratch monkey environment or not.
You have to figure out a PKI strategy to give the users certificates, but that then effectively gives you what you describe: a password-protected random key.
ACK Thank you for letting me know. :-)
I have also implemented half-assed versions of this, such as putting a service with permissions to mint Kerberos TGTs for users behind SSH public key authentication, so that users can use an SSH keypair to get a Kerberos TGT.
I'm intrigued. But I suspect I should stick with the relatively straight and narrow while doing due diligence and learning about Kerberos and how to get rid of my n00b feathers.
The client/server exchange uses GSS-API, which is fine on its own and doesn't rely on the SSH encrypted tunnel to be secure.
I'm glad to have that confirmed.That supports my understanding that the somewhat sensitive (as in I don't want it on the open Internet for anyone to see) client <-> KDC is where I need to play it safer.
You may or may not want to think about the chain of trust for the server (i.e., how do you know that you're scp'ing the keytab to the correct machine).
I agree with your thought process. That's way out in front of me for now. I'm looking at testing Kerberos in my (lab) LAN and pontificating using GSS-API to authenticate things like SSH, and eventually IMAPS & SMTP (w/ STARTTLS), to select few test VPSs. This is still very much exploratory phase with pet systems. I don't have a good enough understanding of the Kerberos technology to even think about applying it to cattle VPSs yet. Slow steps. Understand who, what, when, where, why, and how before running.
In an ideal world, the machine is launched with some existing credentials (like a TLS private key) that are installed on it securely, and then you use those credentials to bootstrap other credentials it needs, such as keytabs.
Agreed. When I get there.For now, it's pet VPSs that I'm already logging into via ssh keys / certificates and trust (as much as reasonably possible). I'm 99% confident that when I push a keytab to the server, that it will be the server that I'm expecting.
But duly noted on your concern and idea about priming. Thank you again for your insight Russ. -- Grant. . . . unix || die
smime.p7s
Description: S/MIME Cryptographic Signature
________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
