Kerberos n00b question.

Grant Taylor gtaylor at tnetconsulting.net
Mon Jan 7 21:57:35 EST 2019 

On 1/7/19 7:31 PM, Russ Allbery wrote:
> If you want to go down this path, I would take a look at PKINIT, which 
> replaces the initial authentication request using a password-derived key 
> with X.509 mutual authentication.

I'll definitely be taking a look at PKINIT, SPAKE, HTTPS proxy, and OTP 
as they relate to Kerberos.

I want to understand what they are, what they do, and how they do it 
from a high level.  That way I can make a (somewhat) informed decision 
if I want to integrate them into my sandbox / lab / scratch monkey 
environment or not.

> You have to figure out a PKI strategy to give the users certificates, but 
> that then effectively gives you what you describe: a password-protected 
> random key.

ACK

Thank you for letting me know.  :-)

> I have also implemented half-assed versions of this, such as putting 
> a service with permissions to mint Kerberos TGTs for users behind SSH 
> public key authentication, so that users can use an SSH keypair to get 
> a Kerberos TGT.

I'm intrigued.  But I suspect I should stick with the relatively 
straight and narrow while doing due diligence and learning about 
Kerberos and how to get rid of my n00b feathers.

> The client/server exchange uses GSS-API, which is fine on its own and 
> doesn't rely on the SSH encrypted tunnel to be secure.

I'm glad to have that confirmed.

That supports my understanding that the somewhat sensitive (as in I 
don't want it on the open Internet for anyone to see) client <-> KDC is 
where I need to play it safer.

> You may or may not want to think about the chain of trust for the server 
> (i.e., how do you know that you're scp'ing the keytab to the correct 
> machine).

I agree with your thought process.  That's way out in front of me for 
now.  I'm looking at testing Kerberos in my (lab) LAN and pontificating 
using GSS-API to authenticate things like SSH, and eventually IMAPS & 
SMTP (w/ STARTTLS), to select few test VPSs.  This is still very much 
exploratory phase with pet systems.  I don't have a good enough 
understanding of the Kerberos technology to even think about applying it 
to cattle VPSs yet.  Slow steps.  Understand who, what, when, where, 
why, and how before running.

> In an ideal world, the machine is launched with some existing credentials 
> (like a TLS private key) that are installed on it securely, and then 
> you use those credentials to bootstrap other credentials it needs, 
> such as keytabs.

Agreed.  When I get there.

For now, it's pet VPSs that I'm already logging into via ssh keys / 
certificates and trust (as much as reasonably possible).  I'm 99% 
confident that when I push a keytab to the server, that it will be the 
server that I'm expecting.

But duly noted on your concern and idea about priming.

Thank you again for your insight Russ.



-- 
Grant. . . .
unix || die

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4008 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20190107/2798093b/attachment-0001.bin

More information about the Kerberos mailing list