Will the Real get-a-tgt-with-a-password Function Please Stand Up?

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

Will the Real get-a-tgt-with-a-password Function Please Stand Up?

Henry B. Hotz
This might suddenly become urgent, so apologies for my obsolete  
background for this question, but:

There is a function in the (admittedly obsolete) MIT API document that  
will get a tgt, given a password as input.  Looking at the Heimdal and  
MIT source for the kinit program a couple of years ago it struck me  
that neither one of them used that function.  They each appeared to use  
different, other routines for that function.

What's the "right", implementation-independent way to do that?  Is the  
answer different if you are just checking passwords and don't need to  
keep the tgt?
------------------------------------------------------------------------
----
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
[hidden email], or [hidden email]

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Will the Real get-a-tgt-with-a-password Function Please Stand Up?

Simon Wilkinson
Henry B. Hotz wrote:

> What's the "right", implementation-independent way to do that?  Is the  
> answer different if you are just checking passwords and don't need to  
> keep the tgt?

Implementation independence? Kerberos libraries? You'll be lucky!

The conclusion that was reached whilst the OpenSSH krb5 code was being
reviewed was something akin to the following (for the MIT code):

problem = krb5_get_init_creds_password(krb5_ctx, &creds,
             krb5_user, (char *)password, NULL, NULL, 0, NULL, NULL);
problem = krb5_sname_to_principal(krb5_ctx, NULL, NULL,
             KRB5_NT_SRV_HST, &server);
problem = krb5_verify_init_creds(krb5_ctx, &creds, server,
             NULL, NULL, NULL);
krb5_free_principal(krb5_ctx, server);

Heimdal does:

problem = krb5_verify_user(krb5_ctx, krb5_user,
             ccache, password, 1, NULL);
(which also populates a ccache for you, and calls krb5_kuserok)

Note that in the MIT case just calling get_init_creds_password() isn't
sufficient to verify that a user has correctly authenticated - you need
to use verify_init_creds() as well, in order to avoid KDC replacement
attacks. Oh, and obviously the error code returned should be checked
after every call.

Hope that helps. If you want to look further - the code is in
auth-krb5.c in the OpenSSH portable distribution.

Cheers,

Simon.
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Will the Real get-a-tgt-with-a-password Function Please Stand Up?

hartmans
In reply to this post by Henry B. Hotz
I believe both MIT and Heimdal support krb5_get_init_creds and
krb5_verify_init_creds.  Heimdal has an additional convenience
function.

Note that calling verify_init_creds is mandatory for secure operation
if you are checking for local access.

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Will the Real get-a-tgt-with-a-password Function Please Stand Up?

Donn Cave
In reply to this post by Simon Wilkinson
On Jun 3, 2005, at 10:32 AM, Simon Wilkinson wrote:

> Henry B. Hotz wrote:
>> What's the "right", implementation-independent way to do that?  Is  
>> the  answer different if you are just checking passwords and don't  
>> need to  keep the tgt?
>
> Implementation independence? Kerberos libraries? You'll be lucky!
>
> The conclusion that was reached whilst the OpenSSH krb5 code was  
> being reviewed was something akin to the following (for the MIT code):
>
> problem = krb5_get_init_creds_password(krb5_ctx, &creds,
>             krb5_user, (char *)password, NULL, NULL, 0, NULL, NULL);
> problem = krb5_sname_to_principal(krb5_ctx, NULL, NULL,
>             KRB5_NT_SRV_HST, &server);
> problem = krb5_verify_init_creds(krb5_ctx, &creds, server,
>             NULL, NULL, NULL);
> krb5_free_principal(krb5_ctx, server);
>
> Heimdal does:
>
> problem = krb5_verify_user(krb5_ctx, krb5_user,
>             ccache, password, 1, NULL);
> (which also populates a ccache for you, and calls krb5_kuserok)
>
> Note that in the MIT case just calling get_init_creds_password()  
> isn't sufficient to verify that a user has correctly authenticated  
> - you need to use verify_init_creds() as well, in order to avoid  
> KDC replacement attacks. Oh, and obviously the error code returned  
> should be checked after every call.
>
> Hope that helps. If you want to look further - the code is in auth-
> krb5.c in the OpenSSH portable distribution.

I'm looking at an older version, but I don't see any
krb5_free_cred_contents() afterwards?

Anyway, just wanted to point out that where you don't
need the credentials, at least with MIT I use
krb5_cc_resolve(krb5_ctx, "MEMORY:xyz", &ccache),
plus a krb5_cc_initialize, and then use that krb5_ccache.
I think this would be a minor optimization, but it's good
when /tmp fills up or something.

     Donn Cave, [hidden email]


_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Will the Real get-a-tgt-with-a-password Function Please Stand Up?

hartmans
In reply to this post by Simon Wilkinson
I really think that with the exception of krb5_cc_gen_new and a few
other things like that, the MIT branches of the openssh code would
also work for Heimdal.
I may be wrong though.

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Will the Real get-a-tgt-with-a-password Function Please Stand Up?

Henry B. Hotz
In reply to this post by hartmans

On Jun 3, 2005, at 10:51 AM, Sam Hartman wrote:

> I believe both MIT and Heimdal support krb5_get_init_creds and
> krb5_verify_init_creds.  Heimdal has an additional convenience
> function.
>
> Note that calling verify_init_creds is mandatory for secure operation
> if you are checking for local access.

Does verify_init_creds call k5userOK (which IIRC is where the check of  
~/.k5login file happens)?

The application is on a Solaris server where the users in question  
don't have local accounts.  If I want to use the installed Sun Kerberos  
do I have an alternative to using PAM?
------------------------------------------------------------------------
----
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
[hidden email], or [hidden email]

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Will the Real get-a-tgt-with-a-password Function Please Stand Up?

hartmans
>>>>> "Henry" == Henry B Hotz <[hidden email]> writes:

    Henry> On Jun 3, 2005, at 10:51 AM, Sam Hartman wrote:

    >> I believe both MIT and Heimdal support krb5_get_init_creds and
    >> krb5_verify_init_creds.  Heimdal has an additional convenience
    >> function.
    >>
    >> Note that calling verify_init_creds is mandatory for secure
    >> operation if you are checking for local access.

    Henry> Does verify_init_creds call k5userOK (which IIRC is where
    Henry> the check of ~/.k5login file happens)?

No, verify_init_creds is part of authentication; it makes sure the KDC
is the right KDC.  k5userok is part of authorization; it makes sure
the authenticated user is allowed to use the account.

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Will the Real get-a-tgt-with-a-password Function Please Stand Up?

Nicolas Williams
In reply to this post by Henry B. Hotz
On Sat, Jun 04, 2005 at 01:16:43PM -0700, Henry B. Hotz wrote:

>
> On Jun 3, 2005, at 10:51 AM, Sam Hartman wrote:
>
> >I believe both MIT and Heimdal support krb5_get_init_creds and
> >krb5_verify_init_creds.  Heimdal has an additional convenience
> >function.
> >
> >Note that calling verify_init_creds is mandatory for secure operation
> >if you are checking for local access.
>
> Does verify_init_creds call k5userOK (which IIRC is where the check of  
> ~/.k5login file happens)?

No -- it verifies the TGT obtained with krb5_get_init_creds*() by
getting a service ticket for a principal for which the system^Wcaller
has a keytab entry.  It's not an authorization function.

> The application is on a Solaris server where the users in question  
> don't have local accounts.  If I want to use the installed Sun Kerberos  
> do I have an alternative to using PAM?

What version of Solaris are you using?  Why wouldn't you want to use the
stock pam_krb5?

Nico
--
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Will the Real get-a-tgt-with-a-password Function Please Stand Up?

Henry B. Hotz
On Jun 4, 2005, at 3:31 PM, Nicolas Williams wrote:

> On Sat, Jun 04, 2005 at 01:16:43PM -0700, Henry B. Hotz wrote:
>>
>> The application is on a Solaris server where the users in question
>> don't have local accounts.  If I want to use the installed Sun  
>> Kerberos
>> do I have an alternative to using PAM?
>
> What version of Solaris are you using?  Why wouldn't you want to use  
> the
> stock pam_krb5?

Because I'm a BSD Bigot (TM) and I don't believe in PAM?  ;-)

More seriously, because it's Solaris 8 and, if I have to do anything to  
the mail server's LDAP plug-in, I want to use something better than  
single-DES.  Jeffrey Altman seems to have finished talking them into  
installing an up-to-date Kerberos distribution and doing away with the  
ancient Kludge that just broke.  I also suspect I can't make pam_krb5  
talk to a thread-unique memory cache.

I said I liked what you did in Solaris 10 and I meant it.  I'm not  
quite so happy with what's in Solaris 8-9 though.

> Nico
> --  
------------------------------------------------------------------------
----
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
[hidden email], or [hidden email]

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Will the Real get-a-tgt-with-a-password Function Please Stand Up?

Nicolas Williams
On Sun, Jun 05, 2005 at 12:16:25AM -0700, Henry B. Hotz wrote:

> On Jun 4, 2005, at 3:31 PM, Nicolas Williams wrote:
>
> >On Sat, Jun 04, 2005 at 01:16:43PM -0700, Henry B. Hotz wrote:
> >>
> >>The application is on a Solaris server where the users in question
> >>don't have local accounts.  If I want to use the installed Sun  
> >>Kerberos
> >>do I have an alternative to using PAM?
> >
> >What version of Solaris are you using?  Why wouldn't you want to use  
> >the
> >stock pam_krb5?
>
> Because I'm a BSD Bigot (TM) and I don't believe in PAM?  ;-)
>
> More seriously, because it's Solaris 8 and, if I have to do anything to  
> the mail server's LDAP plug-in, I want to use something better than  
> single-DES.  Jeffrey Altman seems to have finished talking them into  
> installing an up-to-date Kerberos distribution and doing away with the  
> ancient Kludge that just broke.  I also suspect I can't make pam_krb5  
> talk to a thread-unique memory cache.

"Thread-unique"?  Or per-session?  If you need features that Solaris
lacks I'd like to hear about it.  (MIT might want us to take this
offline.)

> I said I liked what you did in Solaris 10 and I meant it.  I'm not  
> quite so happy with what's in Solaris 8-9 though.

Thanks.  Sun put a lot of effort into revamping Solaris' krb5 support
for S10.  I'm glad it shows.

Nico
--
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Will the Real get-a-tgt-with-a-password Function Please Stand Up?

Henry B. Hotz
In reply to this post by Henry B. Hotz
Rereading, even my "serious" answer is kind of flip.  I owe you a  
better one, which relates to my dislike of the complexity that PAM  
engenders.  (And it engenders it in precisely the part of the system  
that ought to be kept simple for auditing purposes.)  I am to some  
extent just being a curmudgeon, but I think there is a point to be  
made.

Trying to relate my concerns to actual concrete situations can get  
complex too.  As implied, this situation has other issues that trump  
the whole PAM vs ordinary library issue.

On Jun 5, 2005, at 12:16 AM, Henry B. Hotz wrote:

> On Jun 4, 2005, at 3:31 PM, Nicolas Williams wrote:
>
>> On Sat, Jun 04, 2005 at 01:16:43PM -0700, Henry B. Hotz wrote:
>>>
>>> The application is on a Solaris server where the users in question
>>> don't have local accounts.  If I want to use the installed Sun  
>>> Kerberos
>>> do I have an alternative to using PAM?
>>
>> What version of Solaris are you using?  Why wouldn't you want to use  
>> the
>> stock pam_krb5?
>
> Because I'm a BSD Bigot (TM) and I don't believe in PAM?  ;-)
>
> More seriously, because it's Solaris 8 and, if I have to do anything  
> to the mail server's LDAP plug-in, I want to use something better than  
> single-DES.  Jeffrey Altman seems to have finished talking them into  
> installing an up-to-date Kerberos distribution and doing away with the  
> ancient Kludge that just broke.  I also suspect I can't make pam_krb5  
> talk to a thread-unique memory cache.
>
> I said I liked what you did in Solaris 10 and I meant it.  I'm not  
> quite so happy with what's in Solaris 8-9 though.
>
>> Nico
>> --  
> -----------------------------------------------------------------------
> -----
> The opinions expressed in this message are mine,
> not those of Caltech, JPL, NASA, or the US Government.
> [hidden email], or [hidden email]
>
>
------------------------------------------------------------------------
----
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
[hidden email], or [hidden email]

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Will the Real get-a-tgt-with-a-password Function Please Stand Up?

Roland C. Dowdeswell
In reply to this post by Simon Wilkinson
On 1117819977 seconds since the Beginning of the UNIX epoch
Simon Wilkinson wrote:

>
>Henry B. Hotz wrote:
>
>> What's the "right", implementation-independent way to do that?  Is the  
>> answer different if you are just checking passwords and don't need to  
>> keep the tgt?
>
>Implementation independence? Kerberos libraries? You'll be lucky!
>
>The conclusion that was reached whilst the OpenSSH krb5 code was being
>reviewed was something akin to the following (for the MIT code):
>
>problem = krb5_get_init_creds_password(krb5_ctx, &creds,
>             krb5_user, (char *)password, NULL, NULL, 0, NULL, NULL);
>problem = krb5_sname_to_principal(krb5_ctx, NULL, NULL,
>             KRB5_NT_SRV_HST, &server);
>problem = krb5_verify_init_creds(krb5_ctx, &creds, server,
>             NULL, NULL, NULL);
>krb5_free_principal(krb5_ctx, server);

If you are not keeping the TGT, then you should obtain a service ticket
for a key which is in your keytab in the krb5_get_init_creds_password()
stage rather than a TGT.  This will save you an unnecessary round
trip with the KDC.

Something like:

        asprintf(&sprinc, "host/%s", gethostname());
        krb5_get_init_creds_password(ctx, &creds, user, password, NULL,
            NULL, 0, sprinc, NULL);

--
    Roland Dowdeswell                      http://www.Imrryr.ORG/~elric/
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev