[kitten] Token Preauth for Kerberos

Wang Weijun weijun.wang at oracle.com
Fri Jun 13 03:35:04 EDT 2014 

JDK 8 has S4U2self and S4U2proxy, but it hasn't been tested in the real world. Also, client, service and backend service must be in the same realm now, since referral is still not supported.

--Max

On Jun 13, 2014, at 15:31, Zheng, Kai <kai.zheng at intel.com> wrote:

> Hi Max,
> 
> Would you help clarify the support situation or plan/schedule in JRE/JDK for the mentioned protocol transition (s4u2self) + constrained delegation (s4u2proxy) if I'm not correct? Thanks.
> 
> Regards,
> Kai
> 
> -----Original Message-----
> From: Zheng, Kai 
> Sent: Friday, June 13, 2014 3:16 PM
> To: 'Simo Sorce'
> Cc: kitten at ietf.org; krbdev at mit.edu
> Subject: RE: [kitten] Token Preauth for Kerberos
> 
> Hi Simo,
> 
>>> have you considered protocol transition (s4u2self) + constrained delegation (s4u2proxy) to get tickets at an authentication gateway instead of a new pre auth mechanism ?
> 
> Yes we proposed for the Hadoop community a centralized Authn & Authz Server (HAS) that might be like the gateway as you mentioned. It's widely discussed and confirmed that it would be great the server allows plugin of authentication module/provider but all mechanisms output token. Sure I guess it's possible to use token to go thru s4u2self and s4u2proxy in the Kerberos facility across the ecosystem but as far as I know JRE just starts to support it from JDK8. Anyhow I would check this and make sure it's a doable option not in so long future.
> 
> A question regarding this:
> Is it possible to contain the token in service ticket resulted from s4u2self and s4u2proxy as authorization data so that services can get it as proposed in token-preauth? Note in our wanted solution, token not just serves for authentication, but also is meant to be passed (or the token attributes) to service side for fine-grained authorization.
> 
> Thanks & regards,
> Kai
> 
> -----Original Message-----
> From: Simo Sorce [mailto:simo at redhat.com]
> Sent: Friday, June 13, 2014 5:37 AM
> To: Zheng, Kai
> Cc: kitten at ietf.org; krbdev at mit.edu
> Subject: Re: [kitten] Token Preauth for Kerberos
> 
> On Tue, 2014-06-10 at 12:19 +0000, Zheng, Kai wrote:
>> Hi all,
>> 
>> I would like to mention an effort regarding Kerberos and propose a new 
>> Kerberos preauth mechanism, token-preauth. Before dive into that, 
>> please kindly allow me to introduce, mainly for the background and 
>> scenario for the proposal.
>> 
>> I'm an engineer from Intel and develop identity and security related 
>> products. The current focus is Apache Hadoop, and our goal is enabling 
>> Hadoop to support more authentication mechanisms and providers.
>> Currently Hadoop only supports Kerberos authentication method as the 
>> built-in secured one and it's not easy to add more since it involves 
>> changing into many projects on top of it in the large ecosystem. The 
>> community had proposed a token based authentication, planned to add 
>> TokenAuth method for Hadoop and by TokenAuth then all kinds of 
>> authentication providers can be supported since their authentication 
>> results can be wrapped into token, and the token can be employed to 
>> authenticate to Hadoop across the ecosystem. The effort is still 
>> undergoing. Considering the complexity, risk and deployment overhead 
>> of this approach, our team investigate and think of another possible 
>> solution, i.e. support token in Kerberos. The basic idea is allow end 
>> users to authenticate to Kerberos with their tokens and obtain 
>> tickets, then access Hadoop services using the tickets as current flow 
>> goes. The PoC was already done, and we make it work seamlessly from 
>> MIT Kerberos to Java world and Hadoop. However we think it's very 
>> important to get the key point token-preauth be reviewed by you 
>> security and Kerberos experts, to make sure it's defined and 
>> implemented in compliance with the existing standards and protocols, 
>> without involving security critical leaks. So please kindly give your 
>> feedback and we appreciate it.
> 
> Kai,
> have you considered protocol transition (s4u2self) + constrained delegation (s4u2proxy) to get tickets at an authentication gateway instead of a new pre auth mechanism ?
> 
> Simo.
> 
> --
> Simo Sorce * Red Hat, Inc * New York
>

More information about the krbdev mailing list