RFC 4121 & acceptor subkey use in MIC token generation

[Nico Williams]

On Fri, Oct 27, 2023 at 02:01:05PM -0400, Ken Hornstein via Kerberos wrote:
> >Aren't you supposed to use CAC or PIV cards?
> 
> Well, I hate to use the "Air Bud" loophole, but the rules as I
> understand them don't ACTUALLY say that for ssh, and in some contexts
> they explictly say that plaintext passwords are fine as long as you're
> doing something like using a RADIUS server to verify the password.  Yes,
> the RADIUS protocol is terrible and has MD5 baked into the protocol and
> no one has ever explained to me why the STIGS say FIPS mode is manditory
> but RADIUS is fine.

Uh...  If someone was able to swing that then you should be able to
swing use of MD5 for non-cryptographic purposes where a 20 year old RFC
requires it.  But, I know, I know, never mind.

> >You can definitely use openssh clients with PIV cards and avoid
> >kerberos altogether.
> 
> I have done that!  But that is actually TERRIBLE IMHO from a security
> perspective unless you write a whole pile of infrastructure code; maybe
> some sites actually do that but the people I've seen with that setup do
> not and then get surprised when they get a new CAC and that breaks.  If
> you funnel all that through PKINIT then things are much nicer.

IDEA: Patch ssh to support use of x.509 certificates.

After all, you can't use OpenSSH certs because... that's not "the DoD
PKI", and you can't use GSS-KEYEX because of the foregoing MD5
non-issue, so might as well do the one thing you are allowed to do: use
the DoD PKI!

And you're using Heimdal, right?  Well, Heimdal has a very frickin' nice
ASN.1 compiler that already has everything you need to be able to decode
x.509 certificates.  It even has a fantastic libhx509, though the only
thing it doesn't have is support for x25519/x448 (I've a branch with
that stuff I need to finish).  Though you'll want to update to the
as-yet unreleased master branch for this because it's more awesome
there.

Nico
--