[kitten] Token Preauth for Kerberos
Simo Sorce
simo at redhat.com
Thu Jun 12 17:37:18 EDT 2014
On Tue, 2014-06-10 at 12:19 +0000, Zheng, Kai wrote:
> Hi all,
>
> I would like to mention an effort regarding Kerberos and propose a new
> Kerberos preauth mechanism, token-preauth. Before dive into that,
> please kindly allow me to introduce, mainly for the background and
> scenario for the proposal.
>
> I'm an engineer from Intel and develop identity and security related
> products. The current focus is Apache Hadoop, and our goal is enabling
> Hadoop to support more authentication mechanisms and providers.
> Currently Hadoop only supports Kerberos authentication method as the
> built-in secured one and it's not easy to add more since it involves
> changing into many projects on top of it in the large ecosystem. The
> community had proposed a token based authentication, planned to add
> TokenAuth method for Hadoop and by TokenAuth then all kinds of
> authentication providers can be supported since their authentication
> results can be wrapped into token, and the token can be employed to
> authenticate to Hadoop across the ecosystem. The effort is still
> undergoing. Considering the complexity, risk and deployment overhead
> of this approach, our team investigate and think of another possible
> solution, i.e. support token in Kerberos. The basic idea is allow end
> users to authenticate to Kerberos with their tokens and obtain
> tickets, then access Hadoop services using the tickets as current flow
> goes. The PoC was already done, and we make it work seamlessly from
> MIT Kerberos to Java world and Hadoop. However we think it's very
> important to get the key point token-preauth be reviewed by you
> security and Kerberos experts, to make sure it's defined and
> implemented in compliance with the existing standards and protocols,
> without involving security critical leaks. So please kindly give your
> feedback and we appreciate it.
Kai,
have you considered protocol transition (s4u2self) + constrained
delegation (s4u2proxy) to get tickets at an authentication gateway
instead of a new pre auth mechanism ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the krbdev
mailing list