Re: Is a keytab file encrypted?

2017-07-22 Thread Theodore Ts'o 
On Fri, Jul 21, 2017 at 12:42:38PM -0700, Russ Allbery wrote:
> 
> Yeah, if you're worried about portable keys, that's when you probably want
> to do something with a system TPM.  If you go down that path, I'd probably
> try to figure out some way to do PKINIT using a TLS certificate stored in
> the TPM.  I'm not aware of anyone who has already done that work, but it
> would be a pretty interesting project.

Or implement a subset of Kerberos as a smartcard application, so the
key would live in the smart card, and the smartcard would only do
operations if the proper pin/password is submitted --- much like how
the GPG smartcard application works.

For a server, the pin/password for the smartcard would have to be
stored on the disk, or entered by the system administrator each time
the system reboots, so it's not clear how much this would really help
you.  The same is true for the system TPM alternative as well of
course, but at least with the smartcard approach, you could easily
remove the smartcard if you wanted to put the server/laptop into a
"safe" mode where the keying materials have been separated from the
system.

It all depends on your specific threat model and what you are trying
to protect against

- Ted

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Is a keytab file encrypted?

2017-07-21 Thread Charles Hedrick 
You can only use the host key table from a host with the same IP address. The 
server verifies that the IP address corresponds to the hostname. In theory 
someone could bring a laptop and plug it in in place of the original host with 
the same IP address, but that wouldn’t let them compromise anything they 
couldn’t already get if they had root on the original host. We do lots of 
monitoring. If one of our hosts disappears, we’ll notice. If they replace it 
with another host at the same IP address that’s close enough to the original 
that we don’t  notice, it’s not clear what is being compromised. They’re just 
giving us free hardware...

And at least in our situation, we have various groups of systems at different 
security levels. So you could compromise that user on one cluster, but not 
system-wide. 


> On Jul 21, 2017, at 5:55:27 PM, Russ Allbery  wrote:
> 
> Russ Allbery  writes:
>> Charles Hedrick  writes:
> 
>>> * A kerberized service where the user registers that they want to be
>>> able to do cron jobs on a given machine.
>>> * A kerberized pam module that calls the same service and gets back
>>> credentials, locked to the IP address, and at least by default not
>>> forwardable.
> 
>> How does this address the problem raised on this thread?  It's still the
>> case that if you become root on the host, you can just steal the keytab
>> used by that daemon and use it anywhere.  This gives you enhanced
>> protection if you trust the boundary between non-root users and root,
>> but not if you don't trust the machine.
> 
> Oh, wait, I see -- it does transform part of the attack to occasional
> on-line, since while you can steal the system keytab and request tickets
> whenever you want, you can't get the long-lived keytab for the actual
> target credential.  (And presumably you can put monitoring and alerting
> around the host keytab being used from unexpected places.)
> 
> Yeah, that's a partial security improvement.
> 
> -- 
> Russ Allbery (ea...@eyrie.org)  
> 



Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Is a keytab file encrypted?

2017-07-21 Thread Russ Allbery 
Russ Allbery  writes:
> Charles Hedrick  writes:

>> * A kerberized service where the user registers that they want to be
>> able to do cron jobs on a given machine.
>> * A kerberized pam module that calls the same service and gets back
>> credentials, locked to the IP address, and at least by default not
>> forwardable.

> How does this address the problem raised on this thread?  It's still the
> case that if you become root on the host, you can just steal the keytab
> used by that daemon and use it anywhere.  This gives you enhanced
> protection if you trust the boundary between non-root users and root,
> but not if you don't trust the machine.

Oh, wait, I see -- it does transform part of the attack to occasional
on-line, since while you can steal the system keytab and request tickets
whenever you want, you can't get the long-lived keytab for the actual
target credential.  (And presumably you can put monitoring and alerting
around the host keytab being used from unexpected places.)

Yeah, that's a partial security improvement.

-- 
Russ Allbery (ea...@eyrie.org)  

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Is a keytab file encrypted?

2017-07-21 Thread Russ Allbery 
Charles Hedrick  writes:

> * A kerberized service where the user registers that they want to be
> able to do cron jobs on a given machine.
> * A kerberized pam module that calls the same service and gets back
> credentials, locked to the IP address, and at least by default not
> forwardable.

How does this address the problem raised on this thread?  It's still the
case that if you become root on the host, you can just steal the keytab
used by that daemon and use it anywhere.  This gives you enhanced
protection if you trust the boundary between non-root users and root, but
not if you don't trust the machine.

The point of the TPM is that you can't exfiltrate the keys, even if you
have root, only perform on-line operations.

-- 
Russ Allbery (ea...@eyrie.org)  

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Is a keytab file encrypted?

2017-07-21 Thread Charles Hedrick 
My approach is simpler:

* A kerberized service where the user registers that they want to be able to do 
cron jobs on a given machine. 
* A kerberized pam module that calls the same service and gets back 
credentials, locked to the IP address, and at least by default not forwardable.

The pam module authenticates using the system keytable.

This may not be quite as good as a TPM, because it depends upon the integrity 
of the system key table. But the service checks the IP address, so my host 
credential is host/FOO, a lookup of FOO has to produce the IP address the 
request came from. That seems pretty close. I’ll look into TPM, to see if that 
could somehow be used.

> On Jul 21, 2017, at 3:42 PM, Russ Allbery  wrote:
> 
> Charles Hedrick  writes:
> 
>> The argument makes sense.
> 
>> However I am disturbed by the fact that a keytab can be used
>> anywhere. If someone manages to become root on one machine, I’d like
>> them not to be able to do things on other machines. I’m in an
>> environment where we have systems administered by users, and unattended
>> public workstations.
> 
>> That makes me unwilling to tell users to create key tables for cron
>> jobs.
> 
> Yeah, if you're worried about portable keys, that's when you probably want
> to do something with a system TPM.  If you go down that path, I'd probably
> try to figure out some way to do PKINIT using a TLS certificate stored in
> the TPM.  I'm not aware of anyone who has already done that work, but it
> would be a pretty interesting project.
> 
> -- 
> Russ Allbery (ea...@eyrie.org)  
> 



Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Is a keytab file encrypted?

2017-07-21 Thread Russ Allbery 
Charles Hedrick  writes:

> The argument makes sense.

> However I am disturbed by the fact that a keytab can be used
> anywhere. If someone manages to become root on one machine, I’d like
> them not to be able to do things on other machines. I’m in an
> environment where we have systems administered by users, and unattended
> public workstations.

> That makes me unwilling to tell users to create key tables for cron
> jobs.

Yeah, if you're worried about portable keys, that's when you probably want
to do something with a system TPM.  If you go down that path, I'd probably
try to figure out some way to do PKINIT using a TLS certificate stored in
the TPM.  I'm not aware of anyone who has already done that work, but it
would be a pretty interesting project.

-- 
Russ Allbery (ea...@eyrie.org)  


Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Is a keytab file encrypted?

2017-07-21 Thread Jeffrey Altman 
On 7/21/2017 11:13 AM, Charles Hedrick wrote:
> The argument makes sense.
> 
> However I am disturbed by the fact that a keytab can be used anywhere. If 
> someone manages to become root on one machine, I’d like them not to be able 
> to do things on other machines. I’m in an environment where we have systems 
> administered by users, and unattended public workstations.
> 
> That makes me unwilling to tell users to create key tables for cron jobs.

Sites have implemented a wide variety of approaches to authenticating
cron jobs.  The cron process is specific to a host and is not the user.
As such some sites provide tooling that issues host specific principals
for such use with cron:

  user/cron/hostname@REALM

is a common format.  It is then up to the service receiving such a
principal to ensure that the authenticating client is in fact connecting
from the specified host.  Authorization rules can be applied as desired
to either grant specific permissions to

  user/cron/hostname@REALM
  user/cron/*@REALM
  user/*/*@REALM

with appropriate name folding.

Jeffrey Altman





smime.p7s
Description: S/MIME Cryptographic Signature

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Is a keytab file encrypted?

2017-07-21 Thread Charles Hedrick 
The argument makes sense.

However I am disturbed by the fact that a keytab can be used anywhere. If 
someone manages to become root on one machine, I’d like them not to be able to 
do things on other machines. I’m in an environment where we have systems 
administered by users, and unattended public workstations.

That makes me unwilling to tell users to create key tables for cron jobs.


> On Jul 18, 2017, at 10:20 PM, pratyush parimal  
> wrote:
> 
> Ah, I get it. It's much clearer now. Thanks guys!
> 
> On Jul 18, 2017 10:15 PM, "Russ Allbery"  wrote:
> 
>> Greg Hudson  writes:
>>> On 07/18/2017 12:48 PM, pratyush parimal wrote:
>> 
 (2) Is it possible to export the key in encrypted form? If so, then how
 does the service application open the encrypted keytab?
>> 
>>> The keytab file does not have any way to represent encrypted keys, and
>>> the kadmin protocol has no facility to export encrypted keys.  One
>>> could, in principle, design an out-of-band system which used
>>> kadmin.local to create a keytab, encrypt the file, transmit the
>>> encrypted kyetab file to the server, and then decrypt the file on the
>>> server (into a memory filesystem, perhaps) before running the server
>>> application, but I've never heard of anyone doing that.
>> 
>> You have kind of a chicken and an egg problem, since in a typical Kerberos
>> environment the keytab *is* the core identity keys for an application.  If
>> it's encrypted, then you need some other unencrypted keys that *really*
>> represent the application, at which point why not use those keys for
>> Kerberos directly?
>> 
>> That said, if you had a private key in a TPM or some other sort of
>> tamper-resistent hardware, I could see wanting to hand out Kerberos
>> keytabs encrypted to the public key of the server.  But you'd have to
>> build the service to do key issuance that way yourself.  (It wouldn't be
>> horribly hard to build if you'd already done the work to build out the PKI
>> and its TPM component.)
>> 
>> But, even in that case, it's not clear to me what the keytab is then doing
>> for you versus just using the PKI and using PKINIT to get Kerberos
>> tickets.  There are probably some practical uses for introducing the extra
>> layer of complexity, but it's not obviously necessary.
>> 
>> --
>> Russ Allbery (ea...@eyrie.org)  
>> 
>> 
> 
> Kerberos mailing list   Kerberos@mit.edu
> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmailman.mit.edu%2Fmailman%2Flistinfo%2Fkerberos=02%7C01%7Chedrick%40rutgers.edu%7Cd8fbc3140d2741aa9bce08d4ce4d0583%7Cb92d2b234d35447093ff69aca6632ffe%7C1%7C0%7C636360277603180808=GaOrAUT3ukJJgW3X8l9nbRJHGkBah2K9VIeLXdiLpJo%3D=0



Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Is a keytab file encrypted?

2017-07-18 Thread pratyush parimal 
Ah, I get it. It's much clearer now. Thanks guys!

On Jul 18, 2017 10:15 PM, "Russ Allbery"  wrote:

> Greg Hudson  writes:
> > On 07/18/2017 12:48 PM, pratyush parimal wrote:
>
> >> (2) Is it possible to export the key in encrypted form? If so, then how
> >> does the service application open the encrypted keytab?
>
> > The keytab file does not have any way to represent encrypted keys, and
> > the kadmin protocol has no facility to export encrypted keys.  One
> > could, in principle, design an out-of-band system which used
> > kadmin.local to create a keytab, encrypt the file, transmit the
> > encrypted kyetab file to the server, and then decrypt the file on the
> > server (into a memory filesystem, perhaps) before running the server
> > application, but I've never heard of anyone doing that.
>
> You have kind of a chicken and an egg problem, since in a typical Kerberos
> environment the keytab *is* the core identity keys for an application.  If
> it's encrypted, then you need some other unencrypted keys that *really*
> represent the application, at which point why not use those keys for
> Kerberos directly?
>
> That said, if you had a private key in a TPM or some other sort of
> tamper-resistent hardware, I could see wanting to hand out Kerberos
> keytabs encrypted to the public key of the server.  But you'd have to
> build the service to do key issuance that way yourself.  (It wouldn't be
> horribly hard to build if you'd already done the work to build out the PKI
> and its TPM component.)
>
> But, even in that case, it's not clear to me what the keytab is then doing
> for you versus just using the PKI and using PKINIT to get Kerberos
> tickets.  There are probably some practical uses for introducing the extra
> layer of complexity, but it's not obviously necessary.
>
> --
> Russ Allbery (ea...@eyrie.org)  
>

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Is a keytab file encrypted?

2017-07-18 Thread Russ Allbery 
Greg Hudson  writes:
> On 07/18/2017 12:48 PM, pratyush parimal wrote:

>> (2) Is it possible to export the key in encrypted form? If so, then how
>> does the service application open the encrypted keytab?

> The keytab file does not have any way to represent encrypted keys, and
> the kadmin protocol has no facility to export encrypted keys.  One
> could, in principle, design an out-of-band system which used
> kadmin.local to create a keytab, encrypt the file, transmit the
> encrypted kyetab file to the server, and then decrypt the file on the
> server (into a memory filesystem, perhaps) before running the server
> application, but I've never heard of anyone doing that.

You have kind of a chicken and an egg problem, since in a typical Kerberos
environment the keytab *is* the core identity keys for an application.  If
it's encrypted, then you need some other unencrypted keys that *really*
represent the application, at which point why not use those keys for
Kerberos directly?

That said, if you had a private key in a TPM or some other sort of
tamper-resistent hardware, I could see wanting to hand out Kerberos
keytabs encrypted to the public key of the server.  But you'd have to
build the service to do key issuance that way yourself.  (It wouldn't be
horribly hard to build if you'd already done the work to build out the PKI
and its TPM component.)

But, even in that case, it's not clear to me what the keytab is then doing
for you versus just using the PKI and using PKINIT to get Kerberos
tickets.  There are probably some practical uses for introducing the extra
layer of complexity, but it's not obviously necessary.

-- 
Russ Allbery (ea...@eyrie.org)  

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Is a keytab file encrypted?

2017-07-18 Thread Greg Hudson 
On 07/18/2017 12:48 PM, pratyush parimal wrote:
> When I export a principal's key to a keytab file using the following
> command:
> 
> ktadd -k keytabfile service/host@REALM
> 
> (1) Does the keytabfile contain the key in encrypted form or as plaintext?

The keytab file contains the actual keys, unencrypted.

> (2) Is it possible to export the key in encrypted form? If so, then how
> does the service application open the encrypted keytab?

The keytab file does not have any way to represent encrypted keys, and
the kadmin protocol has no facility to export encrypted keys.  One
could, in principle, design an out-of-band system which used
kadmin.local to create a keytab, encrypt the file, transmit the
encrypted kyetab file to the server, and then decrypt the file on the
server (into a memory filesystem, perhaps) before running the server
application, but I've never heard of anyone doing that.

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos