Token Preauth for Kerberos

[Nordgren, Bryce L -FS]

>This proposes to add another preauthentication mechanism similar to
>OTP and PKINIT for Kerberos, based on Kerberos preauthentication
>framework and FAST tunnel. It allows 3rd party token in JWT format
>like OAuth bearer token can be used as credential to authenticate to
>KDC for a normal principal instead of user password. When using the
>token to request a tgt, the user name or other attributes claimed in the
>token must match the target Kerberos principal. PKI is used to establish
>the trust relationship between 3rd party token issuer and KDC.

Very cool.

Might I ask how you map identities from the 3rd party scheme into the Kerberos PRINCIPAL at REALM scheme? I assume from the above that the actual binding is performed using a kx509 certificate issued by a trusted CA? Is there a proposed algorithm to generate Kerberos identities from 3rd party ones, or is this a function of the CA?

Let me back up a bit. Is this being proposed as a gateway such that identities from 3rd party identity systems have a standardized representation in Kerberos (thus ensuring that tokens and Kerberos identities are correctly associated)? Or is this a means for manually created users in the local KDC to use their "regular" password? If the latter, how does one ensure that the same person is in control of the Kerberos identity and the external one?

Bryce
PS: Is your MIT krb5 plugin code somewhere public? :)






This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately.