Anonymous kerberos and bootstrapping new hosts - how to?
Nico Williams
nico at cryptonector.com
Fri Sep 6 20:41:27 EDT 2013
Roland Dowdeswell's krb5_admin and krb5_keytab tool suite support
bootstrapping and changing host keys using N-way Diffie-Hellman key
exchanges (which includes support for race-free clustered host key
updates).
Bootstrapping keys requires a locally-defined (site-specific) process
for verifying host identity. That process can be as simple as "any
host gets to bootstrap keys for any host-based principal for which
there are no keys yet and which exists in DNS" to "confirm host
identity via service processors automatically" (e.g., if you have a
datacenter with a gateway'ed service processor network so you can
trust that if you can reach a service processor you are talking to a
racked server, so then you leverage datacenter physical access
policies) to "a sysadmin must manually confirm the host identity". A
key is bootstrapped before the host identification process, using a
principal name derived from the N-way DH exchange, so, for example, if
you can get console access via a gateway'ed service processor then you
can use that key to complete the bootstrap process securely.
See:
http://oskt.secure-endpoints.com/
https://github.com/elric1/
Nico
--
More information about the Kerberos
mailing list