PPTP / L2TP with Kerberos -- what specs does it follow?

classic Classic list List threaded Threaded
19 messages Options
Reply | Threaded
Open this post in threaded view
|

PPTP / L2TP with Kerberos -- what specs does it follow?

Rick van Rein (OpenFortress)
Hello,

I was surprised to find Kerberos authentication for both PPTP and L2TP on Mac OS X.  I have been looking for specs, including for EAP, but failed to find any.  Am I overlooking sth?

Thanks,
 -Rick
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: PPTP / L2TP with Kerberos -- what specs does it follow?

Hugh Cole-Baker

> On 26 Nov 2014, at 17:18, [hidden email] wrote:
>
> Hello,
>
> I was surprised to find Kerberos authentication for both PPTP and L2TP on Mac OS X.  I have been looking for specs, including for EAP, but failed to find any.  Am I overlooking sth?
>
> Thanks,
> -Rick
>

Hi Rick,

I was looking for information about this EAP mechanism, called EAP-KRB by Apple, a while ago but couldn’t find any published spec for it. I also looked in Apple’s open source projects, and found that the C files where it (would be) implemented have been truncated to remove all the actual code and only leave the headers. [1]

It looks like it is a mechanism Apple have come up with but unfortunately have kept the details proprietary.

[1] http://www.opensource.apple.com/source/ppp/ppp-786.1.1/Authenticators/EAP-KRB/
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: PPTP / L2TP with Kerberos -- what specs does it follow?

Frank Cusack-6
https://tools.ietf.org/html/draft-aboba-pppext-eapgss-12 maybe

On Wed, Nov 26, 2014 at 12:34 PM, Hugh Cole-Baker <[hidden email]>
wrote:

>
> > On 26 Nov 2014, at 17:18, [hidden email] wrote:
> >
> > Hello,
> >
> > I was surprised to find Kerberos authentication for both PPTP and L2TP
> on Mac OS X.  I have been looking for specs, including for EAP, but failed
> to find any.  Am I overlooking sth?
> >
> > Thanks,
> > -Rick
> >
>
> Hi Rick,
>
> I was looking for information about this EAP mechanism, called EAP-KRB by
> Apple, a while ago but couldn’t find any published spec for it. I also
> looked in Apple’s open source projects, and found that the C files where it
> (would be) implemented have been truncated to remove all the actual code
> and only leave the headers. [1]
>
> It looks like it is a mechanism Apple have come up with but unfortunately
> have kept the details proprietary.
>
> [1]
> http://www.opensource.apple.com/source/ppp/ppp-786.1.1/Authenticators/EAP-KRB/
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: PPTP / L2TP with Kerberos -- what specs does it follow?

Rick van Rein (OpenFortress)
Hi Frank & Hugh,

Thanks.  It sounds rather silly to me, to build such a thing and conceal the protocol — especially with Apple not active on the server market, an open protocol would seem the best choice?

There is one potential other link I found, but I’m not sure if it works — RADIUS has a (rather concealed) Auth-Type Kerberos implemented in rlm_krb5.  This might be another route through which it can be achieved, but then still I’m uncertain how RADIUS would fit in with PPTP and/or L2TP.

I found a description of how to enable eduroam with Kerberos authentication — and since this is 802.1x I assumed that EAP is used.
https://www.eduroam.us/node/45

This runs inside TTLS, and that’s where I got stuck, since I assumed it always ran one of the modes of
https://tools.ietf.org/html/rfc5281#section-11.2
However, reading
https://tools.ietf.org/html/rfc5281#section-10
it appears that general AVPs for RADIUS / DIAMETER are supported — and that includes RADIUS’ support for Kerberos authentication.  Except that it is not supported by the IANA registry,
http://www.iana.org/assignments/eap-numbers/eap-numbers.xhtml#eap-numbers-10

This continues to puzzle me… one, the incredible path to get to Kerberos as a result of all these generic switch points, and second, the lack of an official spec for this use of Kerberos.

Cheers,
 -Rick
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: PPTP / L2TP with Kerberos -- what specs does it follow?

Rick van Rein (OpenFortress)
Hi,

> it appears that general AVPs for RADIUS / DIAMETER are supported — and that includes RADIUS’ support for Kerberos authentication.  Except that it is not supported by the IANA registry,
> http://www.iana.org/assignments/eap-numbers/eap-numbers.xhtml#eap-numbers-10

I think this is simply being ignored by practical software.  Here is a detailed discussion of how to configure FreeRADIUS to use Kerberos with 802.1x authentication:

http://freeradius.1045715.n5.nabble.com/802-1x-amp-kerberos-td2765708.html

> This continues to puzzle me… one, the incredible path to get to Kerberos as a result of all these generic switch points, and second, the lack of an official spec for this use of Kerberos.

The lack of official specs appears to be the case here; in practice, it sounds like it works (on most (?) platforms?).

-Rick
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: PPTP / L2TP with Kerberos -- what specs does it follow?

Frank Cusack-6
On Fri, Nov 28, 2014 at 12:29 AM, Rick van Rein <[hidden email]>
wrote:

> Here is a detailed discussion of how to configure FreeRADIUS to use
> Kerberos with 802.1x authentication:
>
> http://freeradius.1045715.n5.nabble.com/802-1x-amp-kerberos-td2765708.html
>

That discussion is how to setup a PAP request inside an EAP-TTLS tunnel,
which is then backended by Kerberos.  IOW, the client has to send the
password.  This is rather server-specific (how to configure different
authentication databases) and not really a "Kerberos" authentication.

I didn't read the document, but from the name of it the EAP-GSS method I
noted earlier would be a true Kerberos authentication -- the client has to
pass on a kerberos token, not a password.  It sounded like that's what you
were going after.  I'm wouldn't be surprised if this isn't well
implemented/supported/documented.  It would require the KDC to be out in
the open (to get the ticket used for the VPN auth) and most folks aren't
going to do that.
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: PPTP / L2TP with Kerberos -- what specs does it follow?

Rick van Rein (OpenFortress)
Hi Frank,

> I didn't read the document, but from the name of it the EAP-GSS method I noted earlier would be a true Kerberos authentication -- the client has to pass on a kerberos token, not a password.  It sounded like that's what you were going after.

Yes, it is, ideally.

> I'm wouldn't be surprised if this isn't well implemented/supported/documented.  It would require the KDC to be out in the open (to get the ticket used for the VPN auth) and most folks aren't going to do that.

Interesting observation.  When we go cross-realm, we’ll have to open our KDCs to the public… at least the TGS part, but that’s undistinguishable from the AS part (same SRV record)…

-Rick
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: PPTP / L2TP with Kerberos -- what specs does it follow?

Frank Cusack-6
On Fri, Nov 28, 2014 at 12:54 AM, Rick van Rein <[hidden email]>
wrote:

> Hi Frank,
>
> > I didn't read the document, but from the name of it the EAP-GSS method I
> noted earlier would be a true Kerberos authentication -- the client has to
> pass on a kerberos token, not a password.  It sounded like that's what you
> were going after.
>
> Yes, it is, ideally.
>
> > I'm wouldn't be surprised if this isn't well
> implemented/supported/documented.  It would require the KDC to be out in
> the open (to get the ticket used for the VPN auth) and most folks aren't
> going to do that.
>
> Interesting observation.  When we go cross-realm, we’ll have to open our
> KDCs to the public… at least the TGS part, but that’s undistinguishable
> from the AS part (same SRV record)…
>

I has a passing though to mention, but decided against it, that yeah
cross-realm is the one place I could see this being more likely.

A couple of years ago I did a [proprietary] implementation of a TGS-only
server designed to sit on the public Internet.  The idea was to do a more
traditional web auth (sending password to server) to a tried and true web
auth front-end, and you'd get back a token which an extension would pass on
to the TGS server and give you a ticket.  Through a bit of convolution this
could then be dropped in the filesystem.

There were numerous advantages to this approach for our environment,
however we never deployed it.  I should have written a brief paper at the
time.
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: PPTP / L2TP with Kerberos -- what specs does it follow?

Rick van Rein (OpenFortress)
Hey,

> There were numerous advantages to this approach for our environment, however we never deployed it.  I should have written a brief paper at the time.

You still may ;-)

It would require a new SRV record, and it would confuse Kerberos clients, I suspect.  But it’s an interesting angle.

-Rick
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: PPTP / L2TP with Kerberos -- what specs does it follow?

Frank Cusack-6
On Fri, Nov 28, 2014 at 1:15 AM, Rick van Rein <[hidden email]> wrote:

> Hey,
>
> > There were numerous advantages to this approach for our environment,
> however we never deployed it.  I should have written a brief paper at the
> time.
>
> You still may ;-)
>
> It would require a new SRV record, and it would confuse Kerberos clients,
> I suspect.  But it’s an interesting angle.
>

IIRC, we were going to remove the traditional AS altogether.  So a standard
client would need a TGT to start with (retrieved from the TGS, I don't
recall if this was a special case or just treated as an ordinary ticket)
and would only have to or be able to interact with the TGS.

Now I remember the primary advantage -- more extensibility and choices
(even dynamic) of initial authentication methods.  But this also led to
follow-on advantages.
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: PPTP / L2TP with Kerberos -- what specs does it follow?

Benjamin Kaduk-2
In reply to this post by Frank Cusack-6
Sorry to focus in on just a single offhand remark, but ...

On Fri, 28 Nov 2014, Frank Cusack wrote:

> implemented/supported/documented.  It would require the KDC to be out in
> the open (to get the ticket used for the VPN auth) and most folks aren't
> going to do that.

... can you say more about *why* most folks aren't going to do that?

We have our KDC open to the public here at MIT, and the Kerberos protocol
is explicitly designed to be usable over public (untrusted) networks.

Now, if users are using weak passwords, this can cause problems, but there
are technologies to work around those as well, such as FAST tunnels or an
https proxy, or even passwordless authentication such as via PKINIT.

We would really like to understand better (and hopefully counter) this
idea that KDCs should not be exposed to the public internet.

Thanks,

Ben
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

RE: PPTP / L2TP with Kerberos -- what specs does it follow?

Nordgren, Bryce L -FS

> > implemented/supported/documented.  It would require the KDC to be out
> > in the open (to get the ticket used for the VPN auth) and most folks
> > aren't going to do that.
>
> ... can you say more about *why* most folks aren't going to do that?

Caveat: I'm not at all involved with security decisions here at USDA, but I can observe a few things.

Our KDC is integrated with Active Directory. Active Directory (actually, all desktop/workstation oriented technology) is perceived as an intranet technology. "Internet technology" is perceived to be both public facing and web-based. Our SAML IdP has been mandated for use outside the firewall. This, of course, falls apart for those cases where perception is different from reality (i.e., using desktops/workstations for external collaboration).

The CIO has responsibility for issuing and maintaining tens of thousands of predominantly office machines, which are mandated to always be on the intranet, either physically or via VPN. External collaboration is an exception to the rule, the end-to-end responsibility for which rests on the end user. End users would rather not learn Kerberos at all, much less manage a KDC for themselves and all comers. The professionals concern themselves only with internal use.

At least, these are the obstacles I have encountered in my attempts to externally collaborate with desktop technology.

Bryce




This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately.

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: PPTP / L2TP with Kerberos -- what specs does it follow?

Ken Hornstein
In reply to this post by Benjamin Kaduk-2
>We would really like to understand better (and hopefully counter) this
>idea that KDCs should not be exposed to the public internet.

I can only offer my $0.02.

I have gotten this strong pushback from people who are running a KDC which is
part of their Active Directory server.  The idea of making the Active Directory
server reachable from the public internet is simply frightening to them.  I
got the impression that people get information from Microsoft that making
the AD server accessable to the public internet is a bad idea, but don't
quote me on that.

Actually, DO quote me on that.  I'll give you some references:

    http://technet.microsoft.com/en-us/library/dn509513.aspx

The key quote here:

    Domain controllers and AD FS servers should never be exposed
    directly to the Internet and should only be reachable through the
    VPN connection.

Also, I suspect that many AD administrators don't see the need; why
would you ever take a managed computer outside of the intranet?  They
don't view AD as a KDC implementation; they view it as "the Microsoft
authentication server", and to them there are only downsides to exposing
it to the Internet at large.  You could explain about the Kerberos
protocol to them until you're blue in the face (believe me, I've tried),
but they don't care and aren't interested in hearing about it.  If it's
you vs. the official Microsoft recommendation, you're going to lose.

I think that if you (by "you" I mean MIT) reached out to Microsoft and
got them to publish an official technote on their website saying that it
is safe to make the Kerberos bits of your domain controller accessable
from the Internet, that would go a long way toward solving this problem.

(The people I know who run an open-source KDC generally don't have a
problem making it available to the Internet; I don't know if that's
because that's more common in that world, a higher sophistication on
part of the administrators, or some other factor).

--Ken

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: PPTP / L2TP with Kerberos -- what specs does it follow?

Rick van Rein (OpenFortress)
Hi,

I was also surprised about the fear of opening a KDC up to the public, but...

> The idea of making the Active Directory
> server reachable from the public internet is simply frightening to them.

…in this specific vendor case I can imagine.  The closedness of the code,
combined with the track record of this particular vendor in security matters
would make me think again.  That is perhaps FUD-based reasoning.

>    http://technet.microsoft.com/en-us/library/dn509513.aspx
>
> The key quote here:
>
>    Domain controllers and AD FS servers should never be exposed
>    directly to the Internet and should only be reachable through the
>    VPN connection.

This is a very general statement, and is too broad to conclude that the
Kerberos5 p[ao]rt should be confined to a LAN.

> Also, I suspect that many AD administrators don't see the need; why
> would you ever take a managed computer outside of the intranet?

The modern keyword “mobility” springs to mind…
And of course “SSO” as a clinching argument for users…

-Rick
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

RE: PPTP / L2TP with Kerberos -- what specs does it follow?

Nordgren, Bryce L -FS
> >    Domain controllers and AD FS servers should never be exposed
> >    directly to the Internet and should only be reachable through the
> >    VPN connection.
>
> This is a very general statement, and is too broad to conclude that the
> Kerberos5 p[ao]rt should be confined to a LAN.

Kerberos is not a complete identity solution. You would also need to expose the LDAP p[ao]rt which parcels out a few user attributes (name, email, something like an SID or UID/GID...) Otherwise you have to synchronize two pieces of an identity solution run by two different organizations/people.

My understanding is that most AD trusts involve much more than just Kerberos, are two way and are transitive. There's no middle ground between "isolated" and "at the mercy of all comers."

> The modern keyword “mobility” springs to mind… And of course “SSO” as a
> clinching argument for users…

Kerberos is not a good cross-organization SSO solution, and if you're not talking cross-organization, why are you talking about off-LAN operations? :) Nico's new PKCROSS draft may change that.

Bryce




This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately.

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: PPTP / L2TP with Kerberos -- what specs does it follow?

Ken Hornstein
>Kerberos is not a good cross-organization SSO solution, and if you're

Not sure what you mean by that; been doing cross-organization SSO for over
15 years with a wide variety of organizations; it works just fine.

--Ken
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: PPTP / L2TP with Kerberos -- what specs does it follow?

Ken Hornstein
In reply to this post by Nordgren, Bryce L -FS
>Kerberos is not a complete identity solution. You would also need to
>expose the LDAP p[ao]rt which parcels out a few user attributes (name,
>email, something like an SID or UID/GID...) Otherwise you have to
>synchronize two pieces of an identity solution run by two different
>organizations/people.

That is NOT true.

I'm just talking about the Kerberos portion, of course, but Kerberos _clients_
do not need access to LDAP.  Depending what you're doing on the application
server side, yes, I can see that.  But I know plenty of people (including
us) who have their KDCs Internet-accessible without exposing their LDAP
servers to the Internet.

The specific implementation of Active Directory may require LDAP (or
other protocol) access for Windows clients, but it is important to note
that this is NOT a requirement for the Kerberos protocol in general.

--Ken
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: PPTP / L2TP with Kerberos -- what specs does it follow?

Rick van Rein (OpenFortress)
In reply to this post by Nordgren, Bryce L -FS
Hi,

> Kerberos is not a complete identity solution.

As I understand Kerberos, it IS…

 * a complete local authentication platform
 * a statically configurable realm-xover authentication platform

…and it IS NOT…

 * an on-the-fly realm-xover authentication platform
 * an authorisation platform

The first one is a miss, and is being worked on (PKCROSS, the KREALM record, and ever-improving integration in of protocols).

Authorisation is out of scope, and might need something like LDAP.  Note that authorisation requires trust of the protected resource, so it is usually in the same realm, just using the authenitcated identity that has done a realm-xover if necessary.

-Rick
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: PPTP / L2TP with Kerberos -- what specs does it follow?

Benjamin Kaduk-2
In reply to this post by Ken Hornstein
On Sun, 30 Nov 2014, Ken Hornstein wrote:

> >We would really like to understand better (and hopefully counter) this
> >idea that KDCs should not be exposed to the public internet.
>
> I can only offer my $0.02.

Thanks for sharing your thoughts, Ken and Bryce -- it is useful to hear
them.

I don't know how successful I would be at asking for changes to
Microsoft's documentation, but it is at least a concrete thing to try. :)

-Ben
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos