Differentiate the ServiceTicket issued from Kinit vs PKinit
Simo Sorce
simo at redhat.com
Tue Jun 2 22:36:40 EDT 2015
On Tue, 2015-06-02 at 21:11 -0400, Ken Hornstein wrote:
> > Today we use password based authentication (kinit). And we want to
> > introduce PKinit. But while validating ServiceTicket we would like to know
> > if the service ticket issued through Kinit to PKinit
> >
> > Is there a way to find this?
>
> We sort-of do this, but it may not directly be applicable.
>
> Our KDC-side PKINIT module will set HW-AUTH flag on the TGT _if_ a particular
> policy OID is found in the client certificate (in our case, the policy
> OID we check for is if the certificate comes from a smartcard, so the
> use of HW-AUTH is appropriate). Flags set in a TGT get propagated to
> service tickets, so we have code on application servers that checks to see
> if the HW-AUTH flag exists for service tickets to make authorization
> decisions.
>
> So, you could do that (if your client-side certificates is issued from
> a hardware device), or overload the HW-AUTH flag. Checking that on the
> application server side is easy.
>
> But ... if you don't want to do that, you MAY be able to check the service
> ticket for the AD_INITIAL_VERIFIED_CAS authorization data (although a quick
> glance suggests to me that MIT Kerberos doesn't generate that data, but
> I could be wrong about that). That would require further investigation.
There is work to actually provide this kind of information here:
https://tools.ietf.org/html/draft-ietf-kitten-krb-auth-indicator-00
Hopefully this will be approved soon, implementation is underway.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Kerberos
mailing list