Authentication strength and ticket policy

[Greg Hudson]

On 09/13/2016 03:57 PM, Matt Rogers wrote:
> On the call we briefly discussed the request to be able to influence
> the ticket lifetime based on the preauth method used (ie. shorter
> lifetimes for 2FA tickets).  It would be good to continue the
> discussion here. 

We could either implement this feature request completely within the
core krb5 code, or merely make it possible to implement using plugin
modules.  The first option is difficult; our database schema isn't
especially malleable, and making ticket lifetimes conditional on
authentication indicators would require adding a lot of complexity to
it.  So I think it's more likely that we would enable the feature to be
implemented using plugin modules.

There are currently a few external interfaces for policy checking within
the KDB interface.  The relevant ones (check_policy_as and
check_policy_tgs) are inadequate for this feature for two reasons: they
do not receive the authentication indicators as an input, and they
cannot influence ticket lifetimes as an output.

Also, while having policy interfaces only within the KDB interface is
adequate for FreeIPA and similar integrations, it makes it impossible to
influence policy from a plugin module without also writing a complete
KDB module.  That's why I favor creating a separate KDC policy
interface.  Separating KDC policy interfaces from KDB interfaces also
allows us to better control the complexity of the KDB interface.

(Note that a single shared object can implement multiple module
interfaces.  Also, a policy module implemented within the same shared
object as a KDB module could still access the database by retrieving the
database handle from the krb5_context object.)