PKINIT and instance principals.

Dr. Greg Wettstein greg at wind.enjellic.com
Sun Jan 29 04:52:32 EST 2017 

Good morning, I hope this note finds everyone's day going well.

We wanted to bounce this issue off the Kerberos development community
to find out if we are dealing with a regression in the Kerberos PKINIT
code or misinterpretation of the issue on our part.

We maintain the Hurdo package which implements Kerberos credential
authenticated sudo support over OpenSSH.  The package can be found at
the following URL:

ftp://ftp.hurderos.org/pub/Hurdo/Hurdo-0.3.0.tar.gz

This package implements support for authenticating a sudo privilege
escalation with a short lived Kerberos service ticket sent over an
OpenSSH local message channel.  It provides a framework for using
Kerberos to authenticate sudo requests without the risk of horizontal
privilege escalation in the event of a compromised host.  It includes
support for propagating the requests through bastion or 'jump' hosts.

Version 0.3 has full support for PKINIT but in our testing of
'instance' principals of the following form:

sudo/UID at REALM

kinit returns the following error:

Client name mismatch while getting initial credentials.

We have confirmed that this persists through the 1.14.4 Kerberos
release.

With debug enabled in the pkinit.so pre-authentication module we have
traced the problem to the verify_client_san() function which ends up
trying to compare the following two principals:

sudo\/UID at REALM

sudo/UID at REALM

Which obviously fails.

Examining the certificate in DER form indicates the principal name is
encoded as sudo/UID at REALM as is desired.  It appears something goes
wrong in the following function:

pkinit_crypto_openssl:crypto_retrieve_X509_sans()

Which generates the 'backslash protected' instance principal from the
Subject Alternate Name supplied principal in the pre-authentication
certificate.

We will keep tracing this but wanted to verify that this was not some
intentionally desired behavior by the Kerberos developers.  If so was
there a decision to deny use of instance principals for PKINIT?

We will look forward to any reflections the development community may
have.  Including a patch if someone else has managed to run into
this... :-)

Have a good week.

Greg

As always,
Dr. G.W. Wettstein, Ph.D.   Enjellic Systems Development, LLC.
4206 N. 19th Ave.           Specializing in information infra-structure
Fargo, ND  58102            development.
PH: 701-281-1686
FAX: 701-281-3949           EMAIL: greg at enjellic.com
------------------------------------------------------------------------------
"So you got your butt kicked by an 'old' guy.

 Before you taunted him did it ever cross your mind that the $1200
 Schmoelke aero-bars he was laying on and the $900 Rocket7 cycling
 shoes he was wearing might mean that the $10,000 custom bike frame he
 was riding might be used for more than transportation to the Dairy
 Queen each night for a Dilly Bar?"
                                -- Dr. G.W. Wettstein
                                   Resurrection

--

More information about the krbdev mailing list