IAKERB Starter Credentials Solution

[Michael B Allen]

I'm drilling down into IAKERB right now and I had a thought ...

Unlike regular Kerberos where the initiator has a ticket from the ccache
already acquired in a separate authentication step, IAKERB needs "starter"
credentials like a principal name and plaintext password.

So how does an IAKERB initiator get the client principal name and password?

One method might be to invoke a callback from within gss_init_sec_context
that would trigger the user to be prompted for plaintext creds.
While this is closer to what I think is ideal, in practice, the
implementation is non-trivial.

Another method would be to modify kinit to optionally authenticate with an
IAKERB-aware service and cache the resulting TGT in the usual way.

More specifically, add an option to krb5.conf like:

  [libdefaults]
      iakerb_idp = https://idp1.mega.corp/do/iakerb

Now run kinit as usual which uses the supplied plaintext creds to do
Negotiate auth with the specified URL and stuff the acquired TGT into the
ccache.

Now IAKERB can init elsewhere without starter creds or problematic
prompting.

Although, the current MIT Kerberos code is not quite right for this because
it seems SPENGO can't use IAKERB as a submech and there would need to be a
callback in iakerb_gss_init_sec_context to reach back into kinit and pickup
the plaintext creds.

Mike

-- 
Michael B Allen
Java AD DS Integration
https://www.ioplex.com/ <http://www.ioplex.com/>