Authentication strength and ticket policy

Matt Rogers mrogers at redhat.com
Mon May 1 13:28:30 EDT 2017 

On Wed, Sep 14, 2016 at 11:51 AM, Greg Hudson <ghudson at mit.edu> wrote:
> On 09/13/2016 03:57 PM, Matt Rogers wrote:
>> On the call we briefly discussed the request to be able to influence
>> the ticket lifetime based on the preauth method used (ie. shorter
>> lifetimes for 2FA tickets).  It would be good to continue the
>> discussion here.
>
> We could either implement this feature request completely within the
> core krb5 code, or merely make it possible to implement using plugin
> modules.  The first option is difficult; our database schema isn't
> especially malleable, and making ticket lifetimes conditional on
> authentication indicators would require adding a lot of complexity to
> it.  So I think it's more likely that we would enable the feature to be
> implemented using plugin modules.
>
> There are currently a few external interfaces for policy checking within
> the KDB interface.  The relevant ones (check_policy_as and
> check_policy_tgs) are inadequate for this feature for two reasons: they
> do not receive the authentication indicators as an input, and they
> cannot influence ticket lifetimes as an output.
>
> Also, while having policy interfaces only within the KDB interface is
> adequate for FreeIPA and similar integrations, it makes it impossible to
> influence policy from a plugin module without also writing a complete
> KDB module.  That's why I favor creating a separate KDC policy
> interface.  Separating KDC policy interfaces from KDB interfaces also
> allows us to better control the complexity of the KDB interface.
>
> (Note that a single shared object can implement multiple module
> interfaces.  Also, a policy module implemented within the same shared
> object as a KDB module could still access the database by retrieving the
> database handle from the krb5_context object.)

(Resurrecting this thread now that I'm able to look into this feature
some more). I've added some design considerations for the plugin
approach to a wiki page:
https://k5wiki.kerberos.org/wiki/Projects/KDC_TGS_Policy_plugin
Comments and edits are welcome!

Regards,
Matt

More information about the krbdev mailing list