GSS-API and libkrb5 behavior for Anonymous tickets

Sam Hartman hartmans at MIT.EDU
Mon Nov 2 18:50:49 EST 2009 


I'm starting the writeup for http://k5wiki.kerberos.org/wiki/Projects/Anonymous_pkinit .

I have a couple of questions about API behavior.

Note that as I'm proposing to implement this project, getting
anonymous tickets will not always work. There are two main causes of
failure.  First, your client may not be configured to verify the
certificate that the KDC presents.  Secondly, the KDC may not have
anonymous tickets enabled.

I have two questions about API behavior.

The first is what should the GSS-API behavior of the anonymous context
establishment option be.  

* If I set the anonymous option and pass in the default credential handle, what happens?  Options include:

1) If I have anonymous credentials in my default cache, I use them and
get the anonymous bit set in the established context.  Otherwise, I
don't get anonymous set in my context and I use the existing
credentials.  We call this the pathetic option.
[I recommend against this option.]

2) If my default credentials are anonymous they are used and the
anonymous bit is set in the context.  Otherwise, if I'm able to obtain
anonymous credentials, I do so into a memory ccache.  If I fail to
obtain anonymous credentials, then I use my existing default
credentials and don't set the anonymous bit in the context.  This
option is probably maximally conforming to the intent of the GSS-API
spec.

3) Option 2 as above, except that if I fail to obtain anonymous
credentials, I return an error.  This allows us to debug being unable
to obtain anonymous credentials, but probably breaks the strict
interpretation of how GSS-API should work.

* If I pass the anonymous name into gss_acquire_credentials, what
  happens?

1) If my default credentials are anonymous, then it works.  Otherwise, if I'm using KIM I may try to obtain anonymous credentials, but on Unix I fail.

2) If my default credentials are anonymous I use them.  Otherwise, I set up a new memory ccache and try to obtain anonymous credentials.  If I fail, I return an error.

3) Option 2 as above, except that if I fail to obtain anonymous
credentials, then  I use my default credentials.

Then I have some questions about libkrb5.

Several things need to happen to request anonymous credentials from an AS:

* You need the anonymous principal name as the client
* You need the anonymous KDC option set
* You must use pkinit with DH

First krb5 question: How much work should krb5_get_init_creds do to
make things consistent.  For example, should setting the client
principal name to anonymous set the anonymous option?  Should setting
the anonymous option set the client principal name?  Should either of
the above force pkinit?

Second question: I want to introduce an API that takes a realm and a
ccache and tries to obtain anonymous credentials for that realm.  Does
this sound good?

More information about the krbdev mailing list