Writing gss mechanism - Kerberos user2user

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Writing gss mechanism - Kerberos user2user

Idan Freiberg
Hello all,

I'm working on an implementation for Kerberos user2user mechanism, in order
to be able to interop with MS requests as such.


Talking with Simo, kaduk @ irc, I was advised to add it as a seperate .so
module.
While it is possible, i'm not sure its the right way. One reason for that
is because MS doesn't specify user2user mech as a seperate mech in
MechTypes (NegoTokenInit).
They actually ask for official krb5 or mskrb5 oids, then they include the
user2user token as the MechToken of the request.

That made me think u2u should be hooked in gssapi_krb5.

On the other hand, looking at gss-ntlmssp by Simo, I find that a support
was added into gssapi itself in order to detect that mech when
NegoTokenInit comes in (altough thats a different way of detection), so i
might be wrong about my the above.

Can you share your thoughts about that one?
--
Idan Freiberg

PGP FP: 8108 7EC9 806E 4980 75F2  72B3 8AD3 2D04 337B 1F18
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Writing gss mechanism - Kerberos user2user

Greg Hudson
On 02/05/2017 01:21 AM, Idan Freiberg wrote:
> While it is possible, i'm not sure its the right way. One reason for that
> is because MS doesn't specify user2user mech as a seperate mech in
> MechTypes (NegoTokenInit).
> They actually ask for official krb5 or mskrb5 oids, then they include the
> user2user token as the MechToken of the request.

That's a little surprising.  Is there any Microsoft documentation on
this u2u mechanism?  I wasn't able to find any.
draft-ietf-cat-user2user-02 (which is ancient) gives a different OID for
use with SPNEGO.


_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Writing gss mechanism - Kerberos user2user

Idan Freiberg
Unfortunately, I didn't find any dedicated U2U doc under MS technical
documents.Also, MS-KILE doesn't include any info about U2U
messages/implementation details.
Regarding the rfc, there is a also draft-swift-win2k-krb-user2user*-03* but
its just a minor changes.

For me it feels like they tried to keep it as a part of Kerberos so they
can share the existing code for seal/mic/etc.

I started to add it in the same fashion as IAKERB is added to gssapi_krb5.
it seems that IAKERB is also relying on much of the "original" krb5 mech
code.


בתאריך יום א׳, 5 בפבר׳ 2017 ב-18:27 מאת Greg Hudson <[hidden email]>:

On 02/05/2017 01:21 AM, Idan Freiberg wrote:
> While it is possible, i'm not sure its the right way. One reason for that
> is because MS doesn't specify user2user mech as a seperate mech in
> MechTypes (NegoTokenInit).
> They actually ask for official krb5 or mskrb5 oids, then they include the
> user2user token as the MechToken of the request.

That's a little surprising.  Is there any Microsoft documentation on
this u2u mechanism?  I wasn't able to find any.
draft-ietf-cat-user2user-02 (which is ancient) gives a different OID for
use with SPNEGO.


--
Idan Freiberg

PGP FP: 8108 7EC9 806E 4980 75F2  72B3 8AD3 2D04 337B 1F18
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Writing gss mechanism - Kerberos user2user

Idan Freiberg
Just to make it clear, the user2user MechToken inside the NegoTokenInit has
the oid from the draft-swift-win2k-krb-user2user rfc draft.

On Sun, Feb 5, 2017 at 8:42 PM Idan Freiberg <[hidden email]> wrote:

> Unfortunately, I didn't find any dedicated U2U doc under MS technical
> documents.Also, MS-KILE doesn't include any info about U2U
> messages/implementation details.
> Regarding the rfc, there is a also draft-swift-win2k-krb-user2user*-03* but
> its just a minor changes.
>
> For me it feels like they tried to keep it as a part of Kerberos so they
> can share the existing code for seal/mic/etc.
>
> I started to add it in the same fashion as IAKERB is added to gssapi_krb5.
> it seems that IAKERB is also relying on much of the "original" krb5 mech
> code.
>
>
> בתאריך יום א׳, 5 בפבר׳ 2017 ב-18:27 מאת Greg Hudson <[hidden email]>:
>
> On 02/05/2017 01:21 AM, Idan Freiberg wrote:
> > While it is possible, i'm not sure its the right way. One reason for that
> > is because MS doesn't specify user2user mech as a seperate mech in
> > MechTypes (NegoTokenInit).
> > They actually ask for official krb5 or mskrb5 oids, then they include the
> > user2user token as the MechToken of the request.
>
> That's a little surprising.  Is there any Microsoft documentation on
> this u2u mechanism?  I wasn't able to find any.
> draft-ietf-cat-user2user-02 (which is ancient) gives a different OID for
> use with SPNEGO.
>
>
> --
> Idan Freiberg
>
> PGP FP: 8108 7EC9 806E 4980 75F2  72B3 8AD3 2D04 337B 1F18
>
--
Idan Freiberg

PGP FP: 8108 7EC9 806E 4980 75F2  72B3 8AD3 2D04 337B 1F18
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Writing gss mechanism - Kerberos user2user

Idan Freiberg
It turns out that MS SSPs can support extra mech OIDs and one can get them
through SpGetExtendedInformation
<https://msdn.microsoft.com/en-us/library/windows/desktop/aa380167(v=vs.85).aspx>(SecpkgExtraOids,
...).
I think MS Negotiate package takes in consideration the extra mech OIDs as
well.


On Sun, Feb 5, 2017 at 8:47 PM Idan Freiberg <[hidden email]> wrote:

> Just to make it clear, the user2user MechToken inside the NegoTokenInit
> has the oid from the draft-swift-win2k-krb-user2user rfc draft.
>
> On Sun, Feb 5, 2017 at 8:42 PM Idan Freiberg <[hidden email]> wrote:
>
> Unfortunately, I didn't find any dedicated U2U doc under MS technical
> documents.Also, MS-KILE doesn't include any info about U2U
> messages/implementation details.
> Regarding the rfc, there is a also draft-swift-win2k-krb-user2user*-03* but
> its just a minor changes.
>
> For me it feels like they tried to keep it as a part of Kerberos so they
> can share the existing code for seal/mic/etc.
>
> I started to add it in the same fashion as IAKERB is added to gssapi_krb5.
> it seems that IAKERB is also relying on much of the "original" krb5 mech
> code.
>
>
> בתאריך יום א׳, 5 בפבר׳ 2017 ב-18:27 מאת Greg Hudson <[hidden email]>:
>
> On 02/05/2017 01:21 AM, Idan Freiberg wrote:
> > While it is possible, i'm not sure its the right way. One reason for that
> > is because MS doesn't specify user2user mech as a seperate mech in
> > MechTypes (NegoTokenInit).
> > They actually ask for official krb5 or mskrb5 oids, then they include the
> > user2user token as the MechToken of the request.
>
> That's a little surprising.  Is there any Microsoft documentation on
> this u2u mechanism?  I wasn't able to find any.
> draft-ietf-cat-user2user-02 (which is ancient) gives a different OID for
> use with SPNEGO.
>
>
> --
> Idan Freiberg
>
> PGP FP: 8108 7EC9 806E 4980 75F2  72B3 8AD3 2D04 337B 1F18
>
> --
> Idan Freiberg
>
> PGP FP: 8108 7EC9 806E 4980 75F2  72B3 8AD3 2D04 337B 1F18
>
--
Idan Freiberg

PGP FP: 8108 7EC9 806E 4980 75F2  72B3 8AD3 2D04 337B 1F18
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Loading...