PKINIT and instance principals.

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view

PKINIT and instance principals.

Dr. Greg Wettstein
Good morning, I hope this note finds everyone's day going well.

We wanted to bounce this issue off the Kerberos development community
to find out if we are dealing with a regression in the Kerberos PKINIT
code or misinterpretation of the issue on our part.

We maintain the Hurdo package which implements Kerberos credential
authenticated sudo support over OpenSSH.  The package can be found at
the following URL:

This package implements support for authenticating a sudo privilege
escalation with a short lived Kerberos service ticket sent over an
OpenSSH local message channel.  It provides a framework for using
Kerberos to authenticate sudo requests without the risk of horizontal
privilege escalation in the event of a compromised host.  It includes
support for propagating the requests through bastion or 'jump' hosts.

Version 0.3 has full support for PKINIT but in our testing of
'instance' principals of the following form:


kinit returns the following error:

Client name mismatch while getting initial credentials.

We have confirmed that this persists through the 1.14.4 Kerberos

With debug enabled in the pre-authentication module we have
traced the problem to the verify_client_san() function which ends up
trying to compare the following two principals:



Which obviously fails.

Examining the certificate in DER form indicates the principal name is
encoded as sudo/UID@REALM as is desired.  It appears something goes
wrong in the following function:


Which generates the 'backslash protected' instance principal from the
Subject Alternate Name supplied principal in the pre-authentication

We will keep tracing this but wanted to verify that this was not some
intentionally desired behavior by the Kerberos developers.  If so was
there a decision to deny use of instance principals for PKINIT?

We will look forward to any reflections the development community may
have.  Including a patch if someone else has managed to run into
this... :-)

Have a good week.


As always,
Dr. G.W. Wettstein, Ph.D.   Enjellic Systems Development, LLC.
4206 N. 19th Ave.           Specializing in information infra-structure
Fargo, ND  58102            development.
PH: 701-281-1686
FAX: 701-281-3949           EMAIL: [hidden email]
"So you got your butt kicked by an 'old' guy.

 Before you taunted him did it ever cross your mind that the $1200
 Schmoelke aero-bars he was laying on and the $900 Rocket7 cycling
 shoes he was wearing might mean that the $10,000 custom bike frame he
 was riding might be used for more than transportation to the Dairy
 Queen each night for a Dilly Bar?"
                                -- Dr. G.W. Wettstein

krbdev mailing list             [hidden email]
Reply | Threaded
Open this post in threaded view

Re: PKINIT and instance principals.

Greg Hudson
On 01/29/2017 04:52 AM, Dr. Greg Wettstein wrote:
> Examining the certificate in DER form indicates the principal name is
> encoded as sudo/UID@REALM as is desired.

I'm not sure this is correct.  An AnotherName of type KRB5PrincipalName
is defined by RFC 4556 to be of type KRB5PrincipalName:

   KRB5PrincipalName ::= SEQUENCE {
       realm                   [0] Realm,
       principalName           [1] PrincipalName

and PrincipalName is defined by RFC 4120 as:

    PrincipalName   ::= SEQUENCE {
        name-type       [0] Int32,
        name-string     [1] SEQUENCE OF KerberosString

If in the DER you are seeing a name-string containing a length-1
sequence containing the string "sudo/UID", that is a single-component
principal, which unparses to "sudo\/UID@REALM" as you saw.

(It would certainly be simpler to create PKINIT certificates using
OpenSSL if RFC 4556 had used unparsed principal names instead of
ASN.1-encoding them.  But that ship sailed long ago.)

To correctly generate a multi-component principal name in the
certificate using an OpenSSL extensions file, the SEQUENCE of principal
components needs to contain separate elements for each principal.  In you can
see this being done in the extensions file for the KDC certificate, and
you can apply something similar for client certificates.  Our
documentation in this area could be improved; we have an open issue at:
krbdev mailing list             [hidden email]