Automatic FAST via Anonymous PKINIT
kaduk at MIT.EDU
Fri May 30 14:42:39 EDT 2014
On Fri, 30 May 2014, Nathaniel McCallum wrote:
> On Fri, 2014-05-30 at 09:16 -0500, Nico Williams wrote:
>> Greg's #1 works, just inefficiently. It's a lot better than nothing
>> and a no-brainer. #2 doesn't help much. #3 might be more useful than
>> you think, but I'd store the FAST armor ticket (it's constrained,
>> isn't it?) in the normal ccache, with a link to it from a ccconfig
>> entry. #4 is clearly desirable from a systems pov, though i would
>> prefer an IPC protocol so as to be better able to apply least
>> privilege principles. Still, #4 looks very nice, so it gets my +1.
> Thinking through this, I don't know that anything other than #1 is
> really needed. Caching only provides a benefit when the ratio of
> non-Anonymous ASReqs to Anonymous ASReqs is high. In the typical case of
> kinit, this ratio is essentially 1:1, providing no benefit.
> The only case I can think of where caching provides a significant
> benefit is in the case of a login system. In this case, the ratio could
> be very high. If the login system is a single, stateful process #2 might
> make sense. But I can't think of a single login system that is
> architected this way.
> So my vote is #1 now and #4 at a later time.
I think that getting to a state where FAST is used for all traffic to the
KDC (which is not being used to obtain an armor ticket) is a very useful
state to be in, and #4 provides a lot of infrastructure that would make
that state more achievable, whether the armor is obtained via anonymous
PKINIT or otherwise.
So I don't think we should give up on #4 quite yet.
More information about the krbdev