kinit only gets addressless tickets

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

kinit only gets addressless tickets

Emmanuel Coirier
Hello !

I've set up a Heimdal Kerberos installation, and for my needs, I try to get "addressfull" tickets (TGT and services tickets with at least one address).

When running kinit with only the principal, I get an addressless TGT. And when using some clients, all the tickets are addressless too.

If I manually add an address with kinit's -a flag (like kinit -a something) the would-be added address doesn't appear with klist -v

And if I disable the proxiable and forwadable attributes on the kdc (with kadmin and attributes "disallow-proxiable, disallow-forwardable"), kinit can't anymore get a ticket.

So, how is it possible to get tickets with addresses ?

--
Emmanuel Coirier

Reply | Threaded
Open this post in threaded view
|

Re: kinit only gets addressless tickets

Harald Barth-2

Then your kinit must do something different from mine. Example:

laptop$ kinit --addr -a 10.1.2.3
[hidden email]'s Password:
habook:~$ klist -v
Credentials cache: FILE:/tmp/krb5cc_18118--STACKEN.KTH.SE
        Principal: [hidden email]
    Cache version: 4

Server: krbtgt/[hidden email]
Client: [hidden email]
Ticket etype: aes256-cts-hmac-sha1-96, kvno 1
Ticket length: 421
Auth time:  Sep 21 14:22:49 2018
End time:   Sep 22 00:22:46 2018
Ticket flags: pre-authent, initial, forwardable
Addresses: IPv4:130.229.161.9, IPv6:2001:6b0:1:1041:5ce6:49f7:7fe0:a9e, IPv6:2001:6b0:1:1041:8e70:5aff:fec8:1ef8, IPv4:10.1.2.3

This gives me tickets for the adresses my laptop has at the moment and in addition to that 10.1.2.3.

New adresses are then put onto the delegated tickets when using openssh to login to a server:

server$ klist -v
Credentials cache: FILE:/tmp/krb5cc_18118_QEiMlMJMDe
        Principal: [hidden email]
    Cache version: 4

Server: krbtgt/[hidden email]
Client: [hidden email]
Ticket etype: aes256-cts-hmac-sha1-96, kvno 1
Ticket length: 369
Auth time:  Sep 21 14:22:49 2018
Start time: Sep 21 14:23:55 2018
End time:   Sep 22 00:22:46 2018
Ticket flags: transited-policy-checked, pre-authent, forwarded, forwardable
Addresses: IPv4:130.237.234.74


My heimdal version is not bleeding edge:
1.6~git20131207+dfsg-1ubuntu1.2

Maybe this is a newly introduced bug, but at least is has worked.

Which version are you using and please copy+paste commands and output.

> And if I disable the proxiable and forwadable attributes on the kdc
> (with kadmin and attributes "disallow-proxiable,
> disallow-forwardable"), kinit can't anymore get a ticket.

If you do this, you must instruct kinit to behave accordingly, either with command
line arguments (--no-prox --no-forw) or in krb5.conf. kinit will not by itself
go from requesting a forwardable to requesting a non-forwardable ticket if the
former was not allowed.

Harald.
Reply | Threaded
Open this post in threaded view
|

RE: kinit only gets addressless tickets

Emmanuel Coirier
Hi Harald,

First, thanks a lot for your quick answer !

Ok, I've got it. You are using the "--addr" flag which is not documented (but works for me).

kinit --help gives me this (same with man) :

...
-A, --no-addresses                        request a ticket with no addresses
-a addresses, --extra-addresses=addresses include these extra addresses
...

But no "--addr" flag.

Since there is a "--no-addresses" flag, I thought the contrary was the default choice. I also would think tickets with addresses would have been the default way to use a kerberos setup.

So my new question is : *usually*, do kerberos tickets include adresses ?

Another question : I'm writing a service using Kerberos for authentication (via gss-api). Should I reject adressless tickets ? More precisely security context with initiator name without adresses ? Or is adressless tickets the default practice ?

My heimdal setup is 7.5.0+dfsg-2 which seems up to date.

Otherwise, there is no "--no-prox" flag documented either.

Again, thanks for your answer.

--
Emmanuel Coirier

-----Message d'origine-----
De : Harald Barth [mailto:[hidden email]]
Envoyé : vendredi 21 septembre 2018 14:32
À : Emmanuel Coirier
Cc : [hidden email]
Objet : Re: kinit only gets addressless tickets


Then your kinit must do something different from mine. Example:
[...]
Reply | Threaded
Open this post in threaded view
|

Re: kinit only gets addressless tickets

Harald Barth-2

> Ok, I've got it. You are using the "--addr" flag which is not documented (but works for me).

Despite documentation misses, all the yes/no flags can be used
in the form --foo and --no-foo.

The actual behaviour depends on
    * What's compiled in (weakest)
    * What's the union of all searched krb5.conf files
    * What's on the command line (strongest)

I think in the addr case, the compiled in default has changed but the
documentation has not. I'd have to look at the source.

> Since there is a "--no-addresses" flag, I thought the contrary was
> the default choice. I also would think tickets with addresses would
> have been the default way to use a kerberos setup.

It was before the wide spread of NAT and laptops on WiFi which change
IP addr quite a few times during the lifetime of the ticket.

> So my new question is : *usually*, do kerberos tickets include adresses ?

Nowadays: No.


> Another question : I'm writing a service using Kerberos for
> authentication (via gss-api). Should I reject adressless tickets ?
> More precisely security context with initiator name without adresses
> ? Or is adressless tickets the default practice ?

It's a tradeof between security and PITA for the user (depends of
course of your use case).

I have not seen any application the rejects adressless tickets but
I've mostly been using kerberos for login (with openssh) and AFS.

> Otherwise, there is no "--no-prox" flag documented either.

See above ;)

Harald.