Automatically randomizing principal keys (in preauth plugin)

[Greg Hudson]

On Wed, 2011-03-23 at 07:51 -0400, Yair Yarom wrote:
> 1. Have the preauth plugin check if there's a key available, and if not
>    create a random one and insert it into the database. Is this
>    possible? If so how and where in the plugin should I do it?

I think it's possible, just by making krb5_db_* calls in the verify_proc
with the provided context.  It doesn't seem very clean, but I can't
think of a reason why it wouldn't work.

> 2. Have all users have the same static (random) key. Here the question
>    is how insecure is it? i.e. I force the use of my preauth plugin as
>    it's the only one installed that provides HW authentication
>    (allegedly). So is this key actually used anywhere?

I think you'd want to set the KRB5_KDB_DISALLOW_SVR flag on the user
principals so people couldn't print service tickets for them.  Beyond
that, I can't think of a risk, although that doesn't mean there isn't a
risk.

> Any other suggestion would be appreciated.

Depending on your deployment requirements, it might be possible to alter
the KDC to allow principals with no keys.  I think we would need to
create a new preauth plugin flag for "I don't need an input reply key"
to avoid incompatibilities with existing plugins.