IAKERB Starter Credentials Solution

Michael B Allen ioplex at gmail.com
Sat Apr 26 19:32:35 EDT 2025 

On Sat, Apr 26, 2025 at 6:02 PM Nico Williams <nico at cryptonector.com> wrote:

> But that utility might as well be any app that knows it's likely to be
> used in an IAKERB-requiring context _and_ interaction is possible.
>
> E.g., RDP, SSHv2 w/ GSS KEYS/userauth, any remote access system like
> that.
>
> Filesystem protocols are harder to do initial credential acquisition in
> because ...


I like to think about what is ideal, and then I do what I can.

Ideally there should be some unix socket service that just processes gss
tokens.
Being a separate process it can do crypto without exposing base keys and
even store the plaintext password (encrypted of course) used to login to
the device and achieve true SSO.
It would provide persistence so that transient processes can get creds
without prompting.
It would normalize the prompting.

This is consistent with what Windows does.
Windows prompts with "Entry your network credentials" and it has the
plaintext password (encrypted of course) so presumably it will skip
prompting for IAKERB completely.

Presumably no such service exists so what can I do?

You seem to be suggesting that each of potentially multiple applications
should be able to trap on an error, prompt for initial credentials (in
whatever way) and then do an a-typical gss_acquire_cred_with_password with
just the IAKERB mech.
Kerberos is hard enough to debug as it is.

Honestly, I don't see applications actually making those changes anyway.

Until there's a host service to centrally handle all-things gss and know
how to properly and consistently prompt, I would rather apps just return an
error "No credentials, get a TGT and try again".

Of course again, for kinit or whatever login app to get a TGT with IAKERB
it needs to auth to an IAKERB-aware service. HTTPS seems to be the obvious
choice IMO.

As a side benefit, because it's authenticated with mutual, there is an
opportunity to install an otherwise untrusted CA certificate into
/etc/pki/ca-trust/source/ or wherever for the host.

Mike

More information about the Kerberos mailing list