Alternative proxy-creds API for constrained-delegation

Isaac Boukris iboukris at gmail.com
Wed Jun 3 18:20:53 EDT 2020 

On Wed, Jun 3, 2020 at 11:26 PM Nico Williams <nico at cryptonector.com> wrote:
>
> On Wed, Jun 03, 2020 at 02:34:13PM -0500, Nico Williams wrote:
> > On Wed, Jun 03, 2020 at 06:54:01PM +0200, Isaac Boukris wrote:
> > > On Wed, Jun 3, 2020 at 5:58 PM Nico Williams <nico at cryptonector.com> wrote:
> > > > On Wed, Jun 03, 2020 at 02:15:58PM +0200, Isaac Boukris wrote:
> > > > > This sounds a lot of application logic, and we also don't want to
> > > > > implicitly delegate a ticket at this point.
> > > >
> > > > On the contrary, this makes the app simpler because configuration now is
> > > > something of a hole: the app doesn't need to know anything about it, it
> > > > just passes through settings from a config file.
> > > >
> > > > We do this in our sshd already, so it won't need _any_ changes in order
> > > > to use this new configuration parameter.
> > >
> > > Not sure I follow, so your sshd won't need any changes, how does that
> > > make it simple for others? And again, we don't want to implicitly
> > > delegate a ticket at this point.
> >
> > I'm going to publish our patches (got permission today), and hopefully
> > we can coalesce on one fork of OpenSSH with GSS KEYEX and then we can
> > contribute to OpenSSH.
>
> https://github.com/gss-openssh/openssh-portable/tree/V_8_0_P1-with-gss-keyex-and-HPN
>
> I'll be rebasing these, squashing some dropping all the "Release ..."
> commits, maybe splitting Debian, HPN, and GSS KEYEX commits into
> separate branches, with master having all the patches.
>
> > Regardless, if you follow this pattern in other apps, you'll get the
> > same benefit of making the use of new configuration parameters not
> > require further app changes -- IMO minimizing future needed code changes
> > is a very powerful feature.
>
> The code in question is here:
>
>  - cred_store key/value setup:
>
>    https://github.com/gss-openssh/openssh-portable/blob/V_8_0_P1-with-gss-keyex-and-HPN/gss-serv-generic.c#L161
>
>    Yes, it's more lines of code than your alternative, but this has to
>    be written only once -- new config parameters can just be added to
>    sshd_config (see below).
>
>  - gss_store_cred_into2() call:
>
>    https://github.com/gss-openssh/openssh-portable/blob/V_8_0_P1-with-gss-keyex-and-HPN/gss-serv-generic.c#L178
>
>  - relevant sshd_config parsing parts:
>
>    https://github.com/gss-openssh/openssh-portable/blob/V_8_0_P1-with-gss-keyex-and-HPN/servconf.c#L283
>    https://github.com/gss-openssh/openssh-portable/blob/V_8_0_P1-with-gss-keyex-and-HPN/servconf.c#L1611

Thanks, I think I get it better now.

> Now I'm thinking it'd be nice to have separate sshd_config params for
> acceptor acquisition from cred_store and storing of
> deleg_cred_handles...

So if we go with gss_acquire_cred_from(), we can add a new store
option "delegation-policy: client-tgt,client-ticket" which will
override the corresponding krb5.conf option, which will default to
"client-tgt,proxy-creds". Then one could add GssCredStoreKeyValue
delegation-policy ...

More information about the krbdev mailing list