Differentiate the ServiceTicket issued from Kinit vs PKinit
Jim Shi
hanmao_shi at apple.com
Wed Jun 3 00:29:45 EDT 2015
>> We sort-of do this, but it may not directly be applicable.
>>
>> Our KDC-side PKINIT module will set HW-AUTH flag on the TGT _if_ a particular
>> policy OID is found in the client certificate (in our case, the policy
>> OID we check for is if the certificate comes from a smartcard, so the
>> use of HW-AUTH is appropriate). Flags set in a TGT get propagated to
>> service tickets, so we have code on application servers that checks to see
>> if the HW-AUTH flag exists for service tickets to make authorization
>> decisions.
Hi, Simo,
Does this require to modify MIT KDC source code?
Thanks
Jim
> On Jun 2, 2015, at 7:36 PM, Simo Sorce <simo at redhat.com> wrote:
>
> On Tue, 2015-06-02 at 21:11 -0400, Ken Hornstein wrote:
>>> Today we use password based authentication (kinit). And we want to
>>> introduce PKinit. But while validating ServiceTicket we would like to know
>>> if the service ticket issued through Kinit to PKinit
>>>
>>> Is there a way to find this?
>>
>> We sort-of do this, but it may not directly be applicable.
>>
>> Our KDC-side PKINIT module will set HW-AUTH flag on the TGT _if_ a particular
>> policy OID is found in the client certificate (in our case, the policy
>> OID we check for is if the certificate comes from a smartcard, so the
>> use of HW-AUTH is appropriate). Flags set in a TGT get propagated to
>> service tickets, so we have code on application servers that checks to see
>> if the HW-AUTH flag exists for service tickets to make authorization
>> decisions.
>>
>> So, you could do that (if your client-side certificates is issued from
>> a hardware device), or overload the HW-AUTH flag. Checking that on the
>> application server side is easy.
>>
>> But ... if you don't want to do that, you MAY be able to check the service
>> ticket for the AD_INITIAL_VERIFIED_CAS authorization data (although a quick
>> glance suggests to me that MIT Kerberos doesn't generate that data, but
>> I could be wrong about that). That would require further investigation.
>
> There is work to actually provide this kind of information here:
> https://tools.ietf.org/html/draft-ietf-kitten-krb-auth-indicator-00
>
> Hopefully this will be approved soon, implementation is underway.
>
> Simo.
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list