any way to get user's ldap dn (or part of it) as part of the ticket?

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

any way to get user's ldap dn (or part of it) as part of the ticket?

Chris Hecker

I have a kerberized service that gets tickets from clients via
krb5_rd_req and I get the client name from the ticket using
krb5_unparse_name_flags.  On the KDC, these clients are in the LDAP
backend.  Is there any way to get the dn (which has a UUID) as part of
the ticket so I get can use it in the service?  I know this is a bit of
a confusion between authn and authz, but I also know Microsoft has a
bunch of extensions that put a bunch of stuff into tickets that gets
carried around, and I'm wondering if there's an extension mechanism that
works for this.  I'd like to avoid another round-trip to the backend to
map from the client name to the UUID.  I'm willing to modify my MIT KDC
if necessary, although it'd be nice if was doable with a plugin in an
"official" way or something.

Thanks, or let me know if I'm thinking about this in the wrong way...

Thanks,
Chris

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: any way to get user's ldap dn (or part of it) as part of the ticket?

Chris Hecker

Hmm, it looks like the authdata_plugin might be what I want?

Chris


On 2016-08-25 23:10, Chris Hecker wrote:

>
> I have a kerberized service that gets tickets from clients via
> krb5_rd_req and I get the client name from the ticket using
> krb5_unparse_name_flags.  On the KDC, these clients are in the LDAP
> backend.  Is there any way to get the dn (which has a UUID) as part of
> the ticket so I get can use it in the service?  I know this is a bit of
> a confusion between authn and authz, but I also know Microsoft has a
> bunch of extensions that put a bunch of stuff into tickets that gets
> carried around, and I'm wondering if there's an extension mechanism that
> works for this.  I'd like to avoid another round-trip to the backend to
> map from the client name to the UUID.  I'm willing to modify my MIT KDC
> if necessary, although it'd be nice if was doable with a plugin in an
> "official" way or something.
>
> Thanks, or let me know if I'm thinking about this in the wrong way...
>
> Thanks,
> Chris
>
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: any way to get user's ldap dn (or part of it) as part of the ticket?

Greg Hudson
In reply to this post by Chris Hecker
On 08/26/2016 02:10 AM, Chris Hecker wrote:
> I have a kerberized service that gets tickets from clients via
> krb5_rd_req and I get the client name from the ticket using
> krb5_unparse_name_flags.  On the KDC, these clients are in the LDAP
> backend.  Is there any way to get the dn (which has a UUID) as part of
> the ticket so I get can use it in the service?

There's no mechanism to do this at present, no.

> I know this is a bit of
> a confusion between authn and authz, but I also know Microsoft has a
> bunch of extensions that put a bunch of stuff into tickets that gets
> carried around, and I'm wondering if there's an extension mechanism that
> works for this.

Microsoft's PAC is visible to the server, not the client.

> I'd like to avoid another round-trip to the backend to
> map from the client name to the UUID.  I'm willing to modify my MIT KDC
> if necessary, although it'd be nice if was doable with a plugin in an
> "official" way or something.

It might be possible to do this with preauth plugin modules.  The
kdcpreauth module would put the DN into a padata element via the
return_padata() function, and the clpreauth module would put the DN
value into a ccache config variable.  padata isn't protected on the wire
(unless FAST is used), but you might be able to encrypt or checksum the
DN in the reply key if that's important.  The preauth interface was
really intended to support preauthentication mechanisms and not adding
bits of information in the AS-REP, so you might run into a roadblock
that I'm not seeing.

>From a protocol perspective, encrypted padata (RFC 6806 appendix A) is
more attractive for this purpose, because it's protected inside the
encrypted AS-REP.  The KDC generates encrypted padata in
kdc_preauth.c:return_enc_padata().  There is no pluggable interface on
the KDC side or client side which grants access to encrypted padata, so
you'd be modifying the KDC and client code.

If you do either of these, you'll need to make up a padata type.
Negative padata types are reserved for unregistered use (RFC 4120
section 5.2.7).
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: any way to get user's ldap dn (or part of it) as part of the ticket?

Greg Hudson
On 08/26/2016 02:29 AM, Greg Hudson wrote:
> Microsoft's PAC is visible to the server, not the client.

Oops, I misread your question.  You want this information in the server,
so yes, you want authdata.  Ignore everything I said about using padata.

We do have an authdata plugin interface, but unfortunately it's
unfinished and not public.  Still, it's probably better than modifying
the code.

Authdata is encrypted in the AS-REP, so you don't have to worry about
protecting the value.  Negative authdata types are reserved for
unregistered use (RFC 4120 section 5.2.6).
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: any way to get user's ldap dn (or part of it) as part of the ticket?

Chris Hecker

Yeah, I want the UUID on the service that gets tickets from the clients
(so I can stop using the username as a db key, which was just a terrible
idea but hey, I was young).

So, to be clear, the client (my game) logs into the KDC, requests a
ticket to the service (the lobby server), and then logs into the lobby
server using this ticket.  I'd like the lobby server to be able to get
the UUID (from the kdb LDAP backend) out of the ticket without talking
to the KDC/LDAP machine again over the wire.  I don't particularly care
if the client can decrypt the UUID, but I guess it's slightly better if
they can't (which it sounds like is the case with authdata, it's
encrypted with the service key)?.

It looks like the greet client and server stuff are the things to look
at here?

Chris



On 2016-08-25 23:32, Greg Hudson wrote:

> On 08/26/2016 02:29 AM, Greg Hudson wrote:
>> Microsoft's PAC is visible to the server, not the client.
>
> Oops, I misread your question.  You want this information in the server,
> so yes, you want authdata.  Ignore everything I said about using padata.
>
> We do have an authdata plugin interface, but unfortunately it's
> unfinished and not public.  Still, it's probably better than modifying
> the code.
>
> Authdata is encrypted in the AS-REP, so you don't have to worry about
> protecting the value.  Negative authdata types are reserved for
> unregistered use (RFC 4120 section 5.2.6).
>
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: any way to get user's ldap dn (or part of it) as part of the ticket?

Chris Hecker

As a followup to this, after looking at the greet code...which piece of
code goes where?  There are three directories, greet, greet_client, and
greet_server.  It seems like greet_client is for passing information
along from my client to my service via the ap-req, which I don't need?

Chris


On 2016-08-25 23:42, Chris Hecker wrote:

>
> Yeah, I want the UUID on the service that gets tickets from the clients
> (so I can stop using the username as a db key, which was just a terrible
> idea but hey, I was young).
>
> So, to be clear, the client (my game) logs into the KDC, requests a
> ticket to the service (the lobby server), and then logs into the lobby
> server using this ticket.  I'd like the lobby server to be able to get
> the UUID (from the kdb LDAP backend) out of the ticket without talking
> to the KDC/LDAP machine again over the wire.  I don't particularly care
> if the client can decrypt the UUID, but I guess it's slightly better if
> they can't (which it sounds like is the case with authdata, it's
> encrypted with the service key)?.
>
> It looks like the greet client and server stuff are the things to look
> at here?
>
> Chris
>
>
>
> On 2016-08-25 23:32, Greg Hudson wrote:
>> On 08/26/2016 02:29 AM, Greg Hudson wrote:
>>> Microsoft's PAC is visible to the server, not the client.
>>
>> Oops, I misread your question.  You want this information in the server,
>> so yes, you want authdata.  Ignore everything I said about using padata.
>>
>> We do have an authdata plugin interface, but unfortunately it's
>> unfinished and not public.  Still, it's probably better than modifying
>> the code.
>>
>> Authdata is encrypted in the AS-REP, so you don't have to worry about
>> protecting the value.  Negative authdata types are reserved for
>> unregistered use (RFC 4120 section 5.2.6).
>>
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: any way to get user's ldap dn (or part of it) as part of the ticket?

Chris Hecker

Ah, hmm, the latest versions of these in the source repository are a
little more clear...I need to upgrade before looking into this...

Chris

On 2016-08-27 02:28, Chris Hecker wrote:

>
> As a followup to this, after looking at the greet code...which piece of
> code goes where?  There are three directories, greet, greet_client, and
> greet_server.  It seems like greet_client is for passing information
> along from my client to my service via the ap-req, which I don't need?
>
> Chris
>
>
> On 2016-08-25 23:42, Chris Hecker wrote:
>>
>> Yeah, I want the UUID on the service that gets tickets from the clients
>> (so I can stop using the username as a db key, which was just a terrible
>> idea but hey, I was young).
>>
>> So, to be clear, the client (my game) logs into the KDC, requests a
>> ticket to the service (the lobby server), and then logs into the lobby
>> server using this ticket.  I'd like the lobby server to be able to get
>> the UUID (from the kdb LDAP backend) out of the ticket without talking
>> to the KDC/LDAP machine again over the wire.  I don't particularly care
>> if the client can decrypt the UUID, but I guess it's slightly better if
>> they can't (which it sounds like is the case with authdata, it's
>> encrypted with the service key)?.
>>
>> It looks like the greet client and server stuff are the things to look
>> at here?
>>
>> Chris
>>
>>
>>
>> On 2016-08-25 23:32, Greg Hudson wrote:
>>> On 08/26/2016 02:29 AM, Greg Hudson wrote:
>>>> Microsoft's PAC is visible to the server, not the client.
>>>
>>> Oops, I misread your question.  You want this information in the server,
>>> so yes, you want authdata.  Ignore everything I said about using padata.
>>>
>>> We do have an authdata plugin interface, but unfortunately it's
>>> unfinished and not public.  Still, it's probably better than modifying
>>> the code.
>>>
>>> Authdata is encrypted in the AS-REP, so you don't have to worry about
>>> protecting the value.  Negative authdata types are reserved for
>>> unregistered use (RFC 4120 section 5.2.6).
>>>
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev