RX Kerberos 5 security class requirements of Kerberos library

g.w@hurderos.org g.w at hurderos.org
Wed Jan 3 12:18:54 EST 2007 

On Jan 3,  8:56am, jaltman at secure-endpoints.com wrote:
} Subject: Re: RX Kerberos 5 security class requirements of Kerberos library

Good day to everyone, I hope the New Year is starting out well.

> The requirement that Sam has imposed is that the resulting function
> prototype be general enough to support more than just the -localauth
> case because AFS is the only application service for which we can think
> that we would approve of its use.

> My revised prototype looks like this:
> 
>   krb5_error_code KRB5_CALLCONV
>   krb5_generate_creds_with_keytab(
>       krb5_context context,
>       krb5_principal client,
>       krb5_keytab    client_keytab,
>       krb5_principal service,
>       krb5_keytab    service_keytab,
>       time_t starttime,
>       time_t endtime,
>       krb5_enctype  *allowed_enctypes,
>       krb5_address  *address,		/* optional */
>       krb5_data      authz_data,	/* optional */
>       krb5_flags     flags,
>       krb5_creds** out_creds /* out */ )
> 
> where for AFS client_keytab and service_keytab would be the same until
> AFS starts to support separate service keys, and the authz_data would
> be empty.
> 
> One flag that could be specified is KRB5_GENCREDS_AFS_LOCALAUTH which
> allows us to indicate that AFS -localauth is being used and ensures that
> (a) it is not the default behavior
> (b) permits AFS to make use of the other functionality in the future.

As long as a general API is being designed would it be possible to
assist the KDC just a bit?

Relevant KDC implementations are going to be talking to directory
servers more rather than less in the future.  To support this the KDC
needs to be able to generate authentication credentials in a model
which is essentially a mutual shared secret environment.

I ended up rolling a credential self-generation routine for our plugin
so that the KDC could do GSSAPI authenticated connections to a
directory server in order to generate BEAF/IDfusion encoded
authorization paylods.  With MIT now officially supporting a plugin
architecture it would seem useful to have an equivalent call which
plugins can use to generate needed credentials.

Perhaps a companion function using keyblock entries rather than
keytabs?

> Jeffrey Altman

Best wishes for a productive New Year.

}-- End of excerpt from jaltman at secure-endpoints.com

As always,
Greg

------------------------------------------------------------------------------
			 The Hurderos Project
         Open Identity, Service and Authorization Management
                       http://www.hurderos.org

"My spin on the meeting?  I lie somewhere between the individual who feels
that we are all going to join hands and march forward carrying the organization
into the information age and Dr. Wettstein.  Who feels that they are holding
secret meetings at 6 o'clock in the morning plotting strategy on how to
replace our system."
                                -- Paul S. Etzell, M.D.
                                   Medical Director, Roger Maris Cancer Center

More information about the krbdev mailing list