Re: Looking for a "Kerberos Router"?

[Brent Kimberley via Kerberos]

The site philosophy can be expressed as fail open / fail closed /fail safe / 
fail deadly...

From: Brent Kimberley
Sent: Wednesday, March 13, 2024 5:41:58 PM
To: Simo Sorce ; Yoann Gini ; Ken 
Hornstein 
Cc: kerberos@mit.edu 
Subject: RE: Looking for a "Kerberos Router"?

To the best of my knowledge, all IPV6 ports should be closed by design and only 
opened if/when approved.

-Original Message-
From: Kerberos  On Behalf Of Simo Sorce
Sent: Wednesday, March 13, 2024 4:48 PM
To: Yoann Gini ; Ken Hornstein 
Cc: kerberos@mit.edu
Subject: Re: Looking for a "Kerberos Router"?

[You don't often get email from s...@redhat.com. Learn why this is important at 
https://aka.ms/LearnAboutSenderIdentification ]

This is well tested:
https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Flatchset%2Fkdcproxy=05%7C02%7Cbrent.kimberley%40durham.ca%7Cde3f8941d2b64fc0ec6f08dc439ee352%7C52d7c9c2d54941b69b1f9da198dc3f16%7C0%7C0%7C638459596905104881%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C=4H0nZRxcUm0XdRKqLsydlI06oDz2pfHxBiKC7HxZmv4%3D=0


On Wed, 2024-03-13 at 17:32 +0100, Yoann Gini wrote:
>
> > Le 13 mars 2024 à 17:21, Ken Hornstein  a écrit :
> >
> > It does occur to me that maybe if you have different KDC hostnames
> > but the same IP address you could use TLS SNI or hostname routing
> > which you indicated you already use and maybe that would be simpler?
> > That presumes the client implementations set the SNI field (I see
> > that it does send a "Host" header, and it looks like MIT Kerberos
> > does set the SNI hostname).
>
> This is what I have in mind looking at the documentation of kkdcp (reading as 
> exchanging here). Using SNI to select the KDC.
>
> I will give it a try, it looks like the option I need here.
>
> And yes, all of those complexities would have been avoided by network
> teams just supporting IPv6 and not blocking random ports for no reasons… 
> 
> Kerberos mailing list   Kerberos@mit.edu
> https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmail
> man.mit.edu%2Fmailman%2Flistinfo%2Fkerberos=05%7C02%7Cbrent.kimbe
> rley%40durham.ca%7Cde3f8941d2b64fc0ec6f08dc439ee352%7C52d7c9c2d54941b6
> 9b1f9da198dc3f16%7C0%7C0%7C638459596905112923%7CUnknown%7CTWFpbGZsb3d8
> eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0
> %7C%7C%7C=dZYepxHAXNhDO%2F4F%2FpLx7fDYgT6xEYGEKtjEK7l1H74%3D
> erved=0


--
Simo Sorce
Distinguished Engineer
RHEL Crypto Team
Red Hat, Inc










Kerberos mailing list   Kerberos@mit.edu
https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmailman.mit.edu%2Fmailman%2Flistinfo%2Fkerberos=05%7C02%7Cbrent.kimberley%40durham.ca%7Cde3f8941d2b64fc0ec6f08dc439ee352%7C52d7c9c2d54941b69b1f9da198dc3f16%7C0%7C0%7C638459596905118780%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C=dzii88nyGoDkbNfjgCWFYvNUHCh%2B%2FiR4CIc%2FQggCEjs%3D=0
THIS MESSAGE IS FOR THE USE OF THE INTENDED RECIPIENT(S) ONLY AND MAY CONTAIN 
INFORMATION THAT IS PRIVILEGED, PROPRIETARY, CONFIDENTIAL, AND/OR EXEMPT FROM 
DISCLOSURE UNDER ANY RELEVANT PRIVACY LEGISLATION. No rights to any privilege 
have been waived. If you are not the intended recipient, you are hereby 
notified that any review, re-transmission, dissemination, distribution, 
copying, conversion to hard copy, taking of action in reliance on or other use 
of this communication is strictly prohibited. If you are not the intended 
recipient and have received this message in error, please notify me by return 
e-mail and delete or destroy all copies of this message.

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

RE: Looking for a "Kerberos Router"?

[Brent Kimberley via Kerberos]

To the best of my knowledge, all IPV6 ports should be closed by design and only 
opened if/when approved.

-Original Message-
From: Kerberos  On Behalf Of Simo Sorce
Sent: Wednesday, March 13, 2024 4:48 PM
To: Yoann Gini ; Ken Hornstein 
Cc: kerberos@mit.edu
Subject: Re: Looking for a "Kerberos Router"?

[You don't often get email from s...@redhat.com. Learn why this is important at 
https://aka.ms/LearnAboutSenderIdentification ]

This is well tested:
https://github.com/latchset/kdcproxy


On Wed, 2024-03-13 at 17:32 +0100, Yoann Gini wrote:
>
> > Le 13 mars 2024 à 17:21, Ken Hornstein  a écrit :
> >
> > It does occur to me that maybe if you have different KDC hostnames
> > but the same IP address you could use TLS SNI or hostname routing
> > which you indicated you already use and maybe that would be simpler?
> > That presumes the client implementations set the SNI field (I see
> > that it does send a "Host" header, and it looks like MIT Kerberos
> > does set the SNI hostname).
>
> This is what I have in mind looking at the documentation of kkdcp (reading as 
> exchanging here). Using SNI to select the KDC.
>
> I will give it a try, it looks like the option I need here.
>
> And yes, all of those complexities would have been avoided by network
> teams just supporting IPv6 and not blocking random ports for no reasons... 
> 
> Kerberos mailing list   Kerberos@mit.edu
> https://mail/
> man.mit.edu%2Fmailman%2Flistinfo%2Fkerberos=05%7C02%7Cbrent.kimbe
> rley%40durham.ca%7Cde3f8941d2b64fc0ec6f08dc439ee352%7C52d7c9c2d54941b6
> 9b1f9da198dc3f16%7C0%7C0%7C638459596905112923%7CUnknown%7CTWFpbGZsb3d8
> eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0
> %7C%7C%7C=dZYepxHAXNhDO%2F4F%2FpLx7fDYgT6xEYGEKtjEK7l1H74%3D
> erved=0


--
Simo Sorce
Distinguished Engineer
RHEL Crypto Team
Red Hat, Inc










Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
THIS MESSAGE IS FOR THE USE OF THE INTENDED RECIPIENT(S) ONLY AND MAY CONTAIN 
INFORMATION THAT IS PRIVILEGED, PROPRIETARY, CONFIDENTIAL, AND/OR EXEMPT FROM 
DISCLOSURE UNDER ANY RELEVANT PRIVACY LEGISLATION. No rights to any privilege 
have been waived. If you are not the intended recipient, you are hereby 
notified that any review, re-transmission, dissemination, distribution, 
copying, conversion to hard copy, taking of action in reliance on or other use 
of this communication is strictly prohibited. If you are not the intended 
recipient and have received this message in error, please notify me by return 
e-mail and delete or destroy all copies of this message.


Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

RE: Looking for a "Kerberos Router"?

[Brent Kimberley via Kerberos]

[MS-KKDCP]: Kerberos Key Distribution Center (KDC) Proxy Protoco
https 
learn.microsoft.com/en-us/openspecs/windows_protocols/ms-kkdcp/5bcebb8d-b747-4ee5-9453-428aec1c5c38?source=recommendations

1 Introduction
The Kerberos Key Distribution Center (KDC) Proxy Protocol (KKDCP) is used by an 
HTTP-based KKDCP server and KKDCP client to relay the Kerberos Network 
Authentication Service (V5) protocol [RFC4120] and Kerberos change password 
[RFC3244] messages between a Kerberos client and a KDC.
Note  Throughout the remainder of this specification the Kerberos Network 
Authentication Service (V5) protocol will be referred to simply as Kerberos V5. 
Kerberos Network Authentication Service (V5) protocol [RFC4120] and Kerberos 
change password [RFC3244] messages will be referred to simply as Kerberos 
messages.
Sections 1.5, 1.8, 1.9, 2, and 3 of this specification are normative. All other 
sections and examples in this specification are informative.

2.1 Transport
Messages are transported by using HTTP POST as specified in [RFC2616]. These 
messages are sent via Hypertext Transfer Protocol over Secure Sockets Layer 
(HTTPS) by default. The URI uses the virtual directory /KdcProxy unless 
otherwise configured. The body of the HTTP message contains the 
KDC_PROXY_MESSAGE (section 2.2.2).
KDC proxy messages are defined using Abstract Syntax Notation One (ASN.1), as 
specified in [X680], and encoded using Distinguished Encoding Rules (DER), as 
specified in [X690] section 10.

2.2 Message Syntax
KKDCP does not alter the syntax of any Kerberos messages.

2.2.2 KDC_PROXY_MESSAGE
This structure is a KDC proxy message that contains the Kerberos message to be 
proxied and optional information for DC location at the KKDCP server.

 KDC-PROXY-MESSAGE::= SEQUENCE {
 kerb-message   [0] OCTET STRING,
 target-domain  [1] KERB-REALM OPTIONAL,
 dclocator-hint [2] INTEGER OPTIONAL
 }
kerb-message: A Kerberos message, including the 4 octet length value specified 
in [RFC4120] section 7.2.2 in network byte order.
target-domain: An optional KerberosString ([RFC4120] section 5.2.1) that 
represents the realm to which the Kerberos message is sent, which is required 
for client messages and is not used in server messages. This value is not 
case-sensitive.
dclocator-hint: An optional Flags ([MS-NRPC] section 3.5.4.3.1) which contains 
additional data to be used to find a domain controller for the Kerberos message.


5.1 Security Considerations for Implementers
Because KKDCP is typically used in the Internet, messages are only protected 
when HTTPS is used, and the KKDCP server's certificate is valid. When using 
HTTP, the KKDCP client is sending clear text Kerberos messages, which are 
vulnerable to attacks discussed in Kerberos V5 ([RFC4120] section 10), unless 
FAST [RFC6113] is used.

When the KKDCP server relays messages from Internet KKDCP clients to the KDC, 
it opens unauthenticated access to the KDC from the Internet, unless TLS client 
authentication is required. KKDCP servers can also provide some level of 
protection by only relaying valid Kerberos messages, and by throttling 
messages. KKDCP servers open KDCs to the Internet, exposing them to 
denial-of-service attacks (using Kerberos messages) that were previously only 
possible via other authentication protocols, such as NTLM.


-Original Message-
From: Kerberos  On Behalf Of Ken Hornstein via 
Kerberos
Sent: Wednesday, March 13, 2024 12:22 PM
To: Yoann Gini 
Cc: kerberos@mit.edu
Subject: Re: Looking for a "Kerberos Router"?

[You don't often get email from kerberos@mit.edu. Learn why this is important 
at https://aka.ms/LearnAboutSenderIdentification ]

>Looking at Apple documentation I see the support for something I had
>never heard of: Kerberos Key Distribution Center Proxy.
>
>Looks like a solution to encapsulate Kerberos requests into an HTTPS.
>
>Any experience on this here?

I personally have not used that, but I know that MIT Kerberos supports that (as 
far as I can tell, that protocol exists just because firewall people are dumb, 
but that's neither here nor there).  That contains a wrapper ASN.1 structure 
which has the target realm in it so you could use that for routing (although 
the target domain is listed as an optional element to the KDC_PROXY_MESSAGE so 
that suggests to me you can't rely on it).  So you're still going to have to 
write code to parse an ASN.1 structure to do backend routing.

It does occur to me that maybe if you have different KDC hostnames but the same 
IP address you could use TLS SNI or hostname routing which you indicated you 
already use and maybe that would be simpler?  That presumes the client 
implementations set the SNI field (I see that it does send a "Host" header, and 
it looks like MIT Kerberos does set the SNI hostname).

--Ken

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
THIS 

RE: kdb5_util-1.15.1: Invalid argument while making newly loaded database live

[Brent Kimberley via Kerberos]

A message queue is typically a better way to synchronize a cluster.
The bonus is that you can track adds, deletes, and modifies via historian.
Anchors in Relative Time!?

-Original Message-
From: Kerberos  On Behalf Of Ken Hornstein via 
Kerberos
Sent: Monday, March 4, 2024 10:56 AM
To: rachit chokshi 
Cc: kerberos@mit.edu
Subject: Re: kdb5_util-1.15.1: Invalid argument while making newly loaded 
database live

[You don't often get email from kerberos@mit.edu. Learn why this is important 
at https://aka.ms/LearnAboutSenderIdentification ]

>We have a setup where the kerberos database (db2) is hosted on an NFS
>server. There are multiple KDC servers each mounting the NFS share and
>serving traffic.

I have to say up front that it is generally agreed that putting any database 
file on a NFS filesystem is a bad idea.  Also, it kind of sounds like your 
multiple KDCs are serving the SAME database file?  If so, THAT is a huge 
problem!

>>kdb5_util: Cannot open DB2 database
>'/var/kerberos/krb5kdc_shared/principal~': Invalid >argument while
>deleting bad database /var/kerberos/krb5kdc_shared/principal

I am looking at newer Kerberos code, so perhaps this has changed, but that 
error comes from krb5_db_destroy() failing.  For DB2, that ends up calling 
krb5_db2_destroy().  That function does a lot of things, and it's hard at a 
glance to figure out which part of it is failing; I suspect the only way to 
figure out what is going wrong there is to build a version of Kerberos with 
full debugging symbols and set a breakpoint on krb5_db2_destroy().  I have a 
strong suspicion that the database file is getting corrupted in a such a way 
that the other routines cannot recover, and that's likely due to the use of NFS 
(especially if multiple KDCs are using the same database file).

--Ken

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
THIS MESSAGE IS FOR THE USE OF THE INTENDED RECIPIENT(S) ONLY AND MAY CONTAIN 
INFORMATION THAT IS PRIVILEGED, PROPRIETARY, CONFIDENTIAL, AND/OR EXEMPT FROM 
DISCLOSURE UNDER ANY RELEVANT PRIVACY LEGISLATION. No rights to any privilege 
have been waived. If you are not the intended recipient, you are hereby 
notified that any review, re-transmission, dissemination, distribution, 
copying, conversion to hard copy, taking of action in reliance on or other use 
of this communication is strictly prohibited. If you are not the intended 
recipient and have received this message in error, please notify me by return 
e-mail and delete or destroy all copies of this message.


Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

RE: Protocol benchmarking / auditing inquiry

[Brent Kimberley via Kerberos]

Correction:
- Physical systems tend to wear out + fail spectacularly.
- Cyber systems tend to fail silently + inconveniently
- CPS systems tend to wear out + fail spectacularly + fail silently + 
inconveniently (case in point colonial pipeline)

The purpose of said tools is to evaluate & maintain asset health - over time. 
(PDCA)

-Original Message-
From: Brent Kimberley
Sent: Thursday, February 15, 2024 12:49 PM
To: kerberos@mit.edu; k...@cmf.nrl.navy.mil
Subject: RE: Protocol benchmarking / auditing inquiry

The purpose of non-destructive testing is to validate form/fit/function - 
across the entire operational mission/ asset lifecycle/ whatever - contrasted 
with the STIG/CIS benchmark which throws the real problems "over the wall" to 
Ken H.

Using the outputs, the lifecycle manager constructs their budget for operations 
+ maintenance (OpEx) and replacement (CapEx).
Physical systems wear out.  (Weibull)
Cyber systems fail spectacularly.
CPS systems wear out + fail spectacularly. (Power-law?)

Why is this relevant?

Back in the 1940s, too many planes were falling out of the sky.  (Q.  How many 
planes are too many?) You call this philosophy a "surety system", "fly fix 
fly", "patch Tuesday", " FAA's approach to the Boeing 737 MAX" - whatever.
Regardless, by the 1950s, it was decided that action needed to be taken.  The 
status quo was unacceptable.  It was too expensive for operators.

The national safety council created something called the "Hierarchy of 
Controls."  It was immensely successful.  (Planes stopped falling out of the 
skies.)

You can call this approach "safety by design".  This approach and it's benefits 
are very well documented and might even be applicable to Navy C4ISR.

To tie a bow on this thread:
How can we make Kerberos safe?


-Original Message-
From: Brent Kimberley
Sent: Thursday, February 15, 2024 12:19 PM
To: kerberos@mit.edu; k...@cmf.nrl.navy.mil
Subject: RE: Protocol benchmarking / auditing inquiry

At higher levels it falls under "Non Destructive testing".

-Original Message-
From: Brent Kimberley
Sent: Thursday, February 15, 2024 12:12 PM
To: 'kerberos@mit.edu' ; 'k...@cmf.nrl.navy.mil' 

Subject: RE: Protocol benchmarking / auditing inquiry

This approach is taught in first year engineering.

-Original Message-
From: Brent Kimberley
Sent: Thursday, February 15, 2024 12:10 PM
To: kerberos@mit.edu; k...@cmf.nrl.navy.mil
Subject: RE: Protocol benchmarking / auditing inquiry

Ken.
The term Frame of Reference is a Cyber Physical system (CPS) term.

For those who work in the cyber subset, the term is "interface".

Regardless of what you call it.

You take the system diagram and evaluate using each major interface or Frame of 
Reference.

The STIG or CIS benchmark is just one of the interfaces evaluated.


-

>Minor comment the CIS Benchmark appears to have been written from the
>system administrator's frame of reference - not the network frame of
>reference (FoR).  Typically, each frame of reference (FoR) needs to be
>audited.  Hence the need for automation.

I can only say this:

- I've been doing Kerberos for a few decades (but I'm certainly not the
  person with the most Kerberos experience on this list).
- I've done a ton of security accreditation work at my $DAYJOB, which
  also involves Kerberos.  As part of the accrediation work we (and
  others) do automated scanning that includes the Kerberos servers
  and this seems to satisfy the powers that be.  Some of the scanning
  seems to detect Kerberos but I am unclear how much it actually checks
  for other than "Kerberos is found".
- I've used the aforementioned CIS Benchmark.
- I really have no clue what you mean by "frame of reference" in this
  context, and this corresponds to no security accreditation or auditing
  requirements I have ever encountered so I cannot provide any
  suggestions; I'm really unclear what you are asking for.

--Ken

-Original Message-
From: Brent Kimberley
Sent: Wednesday, February 14, 2024 3:24 PM
To: Christopher D. Clausen ; kerberos@mit.edu
Subject: RE: Protocol benchmarking / auditing inquiry

Minor comment the CIS Benchmark appears to have been written from the system 
administrator's frame of reference - not the network frame of reference (FoR).
Typically, each frame of reference (FoR) needs to be audited.  Hence the need 
for automation.

-Original Message-
From: Christopher D. Clausen 
Sent: Wednesday, February 14, 2024 2:10 PM
To: Brent Kimberley ; kerberos@mit.edu
Subject: Re: Protocol benchmarking / auditing inquiry

[You don't often get email from cclau...@acm.org. Learn why this is important 
at https://aka.ms/LearnAboutSenderIdentification ]

I have used this as a guide, but I think MIT Kerberos version 1.10 is the 
latest available:
https://www.cisecurity.org/benchmark/mit_kerberos

Not sure if this is what you are looking for or not.

< Preferably something smaller and more focused 

RE: Protocol benchmarking / auditing inquiry

[Brent Kimberley via Kerberos]

The purpose of non-destructive testing is to validate form/fit/function - 
across the entire operational mission/ asset lifecycle/ whatever - contrasted 
with the STIG/CIS benchmark which throws the real problems "over the wall" to 
Ken H.

Using the outputs, the lifecycle manager constructs their budget for operations 
+ maintenance (OpEx) and replacement (CapEx).
Physical systems wear out.  (Weibull)
Cyber systems fail spectacularly.
CPS systems wear out + fail spectacularly. (Power-law?)

Why is this relevant?

Back in the 1940s, too many planes were falling out of the sky.  (Q.  How many 
planes are too many?)
You call this philosophy a "surety system", "fly fix fly", "patch Tuesday", " 
FAA's approach to the Boeing 737 MAX" - whatever.
Regardless, by the 1950s, it was decided that action needed to be taken.  The 
status quo was unacceptable.  It was too expensive for operators.

The national safety council created something called the "Hierarchy of 
Controls."  It was immensely successful.  (Planes stopped falling out of the 
skies.)

You can call this approach "safety by design".  This approach and it's benefits 
are very well documented and might even be applicable to Navy C4ISR.

To tie a bow on this thread:
How can we make Kerberos safe?


-Original Message-
From: Brent Kimberley
Sent: Thursday, February 15, 2024 12:19 PM
To: kerberos@mit.edu; k...@cmf.nrl.navy.mil
Subject: RE: Protocol benchmarking / auditing inquiry

At higher levels it falls under "Non Destructive testing".

-Original Message-
From: Brent Kimberley
Sent: Thursday, February 15, 2024 12:12 PM
To: 'kerberos@mit.edu' ; 'k...@cmf.nrl.navy.mil' 

Subject: RE: Protocol benchmarking / auditing inquiry

This approach is taught in first year engineering.

-Original Message-
From: Brent Kimberley
Sent: Thursday, February 15, 2024 12:10 PM
To: kerberos@mit.edu; k...@cmf.nrl.navy.mil
Subject: RE: Protocol benchmarking / auditing inquiry

Ken.
The term Frame of Reference is a Cyber Physical system (CPS) term.

For those who work in the cyber subset, the term is "interface".

Regardless of what you call it.

You take the system diagram and evaluate using each major interface or Frame of 
Reference.

The STIG or CIS benchmark is just one of the interfaces evaluated.


-

>Minor comment the CIS Benchmark appears to have been written from the
>system administrator's frame of reference - not the network frame of
>reference (FoR).  Typically, each frame of reference (FoR) needs to be
>audited.  Hence the need for automation.

I can only say this:

- I've been doing Kerberos for a few decades (but I'm certainly not the
  person with the most Kerberos experience on this list).
- I've done a ton of security accreditation work at my $DAYJOB, which
  also involves Kerberos.  As part of the accrediation work we (and
  others) do automated scanning that includes the Kerberos servers
  and this seems to satisfy the powers that be.  Some of the scanning
  seems to detect Kerberos but I am unclear how much it actually checks
  for other than "Kerberos is found".
- I've used the aforementioned CIS Benchmark.
- I really have no clue what you mean by "frame of reference" in this
  context, and this corresponds to no security accreditation or auditing
  requirements I have ever encountered so I cannot provide any
  suggestions; I'm really unclear what you are asking for.

--Ken

-Original Message-
From: Brent Kimberley
Sent: Wednesday, February 14, 2024 3:24 PM
To: Christopher D. Clausen ; kerberos@mit.edu
Subject: RE: Protocol benchmarking / auditing inquiry

Minor comment the CIS Benchmark appears to have been written from the system 
administrator's frame of reference - not the network frame of reference (FoR).
Typically, each frame of reference (FoR) needs to be audited.  Hence the need 
for automation.

-Original Message-
From: Christopher D. Clausen 
Sent: Wednesday, February 14, 2024 2:10 PM
To: Brent Kimberley ; kerberos@mit.edu
Subject: Re: Protocol benchmarking / auditing inquiry

[You don't often get email from cclau...@acm.org. Learn why this is important 
at https://aka.ms/LearnAboutSenderIdentification ]

I have used this as a guide, but I think MIT Kerberos version 1.10 is the 
latest available:
https://www.cisecurity.org/benchmark/mit_kerberos

Not sure if this is what you are looking for or not.

< Preferably something smaller and more focused than nmap or OpenSCAP. 





> > > > > >
> From: Brent Kimberley
> Sent: Wednesday, February 14, 2024 12:44 PM
> To: kerberos@mit.edu
> Subject: Protocol benchmarking / auditing inquiry
>
> Hi.
> Can anyone point me to some methods to benchmark and/or audit Kerberos v5?
>
> For example, SSH:
> Manual
>Read the RFCs and specs.
>Semi-automatic.
>jtesta/ssh-audit: SSH server & client security 
> auditing (banner, key exchange, 

RE: Protocol benchmarking / auditing inquiry

[Brent Kimberley via Kerberos]

At higher levels it falls under "Non Destructive testing".

-Original Message-
From: Brent Kimberley
Sent: Thursday, February 15, 2024 12:12 PM
To: 'kerberos@mit.edu' ; 'k...@cmf.nrl.navy.mil' 

Subject: RE: Protocol benchmarking / auditing inquiry

This approach is taught in first year engineering.

-Original Message-
From: Brent Kimberley
Sent: Thursday, February 15, 2024 12:10 PM
To: kerberos@mit.edu; k...@cmf.nrl.navy.mil
Subject: RE: Protocol benchmarking / auditing inquiry

Ken.
The term Frame of Reference is a Cyber Physical system (CPS) term.

For those who work in the cyber subset, the term is "interface".

Regardless of what you call it.

You take the system diagram and evaluate using each major interface or Frame of 
Reference.

The STIG or CIS benchmark is just one of the interfaces evaluated.


-

>Minor comment the CIS Benchmark appears to have been written from the
>system administrator's frame of reference - not the network frame of
>reference (FoR).  Typically, each frame of reference (FoR) needs to be
>audited.  Hence the need for automation.

I can only say this:

- I've been doing Kerberos for a few decades (but I'm certainly not the
  person with the most Kerberos experience on this list).
- I've done a ton of security accreditation work at my $DAYJOB, which
  also involves Kerberos.  As part of the accrediation work we (and
  others) do automated scanning that includes the Kerberos servers
  and this seems to satisfy the powers that be.  Some of the scanning
  seems to detect Kerberos but I am unclear how much it actually checks
  for other than "Kerberos is found".
- I've used the aforementioned CIS Benchmark.
- I really have no clue what you mean by "frame of reference" in this
  context, and this corresponds to no security accreditation or auditing
  requirements I have ever encountered so I cannot provide any
  suggestions; I'm really unclear what you are asking for.

--Ken

-Original Message-
From: Brent Kimberley
Sent: Wednesday, February 14, 2024 3:24 PM
To: Christopher D. Clausen ; kerberos@mit.edu
Subject: RE: Protocol benchmarking / auditing inquiry

Minor comment the CIS Benchmark appears to have been written from the system 
administrator's frame of reference - not the network frame of reference (FoR).
Typically, each frame of reference (FoR) needs to be audited.  Hence the need 
for automation.

-Original Message-
From: Christopher D. Clausen 
Sent: Wednesday, February 14, 2024 2:10 PM
To: Brent Kimberley ; kerberos@mit.edu
Subject: Re: Protocol benchmarking / auditing inquiry

[You don't often get email from cclau...@acm.org. Learn why this is important 
at https://aka.ms/LearnAboutSenderIdentification ]

I have used this as a guide, but I think MIT Kerberos version 1.10 is the 
latest available:
https://www.cisecurity.org/benchmark/mit_kerberos

Not sure if this is what you are looking for or not.

< Preferably something smaller and more focused than nmap or OpenSCAP. 




> > > > >
> From: Brent Kimberley
> Sent: Wednesday, February 14, 2024 12:44 PM
> To: kerberos@mit.edu
> Subject: Protocol benchmarking / auditing inquiry
>
> Hi.
> Can anyone point me to some methods to benchmark and/or audit Kerberos v5?
>
> For example, SSH:
> Manual
>Read the RFCs and specs.
>Semi-automatic.
>jtesta/ssh-audit: SSH server & client security 
> auditing (banner, key exchange, encryption, mac, compression, compatibility, 
> security, etc) (github.com)
> Automatic
>SSH Configuration Auditor
> (ssh-audit.com) tps%3A%2F%2Fwww.ssh-audit.com%2F=05%7C02%7CBrent.Kimberley%40Durh
> am.ca%7C8eddde16708448e6cdb008dc2d907d49%7C52d7c9c2d54941b69b1f9da198d
> c3f16%7C0%7C0%7C638435345797172606%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4
> wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C
> data=ydwY2y5%2FxuZxJavbNQw877yOmuFuVo3DktJr%2FdFA05A%3D=0>
>
>
> TLS example upon request.

THIS MESSAGE IS FOR THE USE OF THE INTENDED RECIPIENT(S) ONLY AND MAY CONTAIN 
INFORMATION THAT IS PRIVILEGED, PROPRIETARY, CONFIDENTIAL, AND/OR EXEMPT FROM 
DISCLOSURE UNDER ANY RELEVANT PRIVACY LEGISLATION. No rights to any privilege 
have been waived. If you are not the intended recipient, you are hereby 
notified that any review, re-transmission, dissemination, distribution, 
copying, conversion to hard copy, taking of action in reliance on or other use 
of this communication is strictly prohibited. If you are not the intended 
recipient and have received this message in error, please notify me by return 
e-mail and delete or destroy all copies of this message.


Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

RE: Protocol benchmarking / auditing inquiry

[Brent Kimberley via Kerberos]

This approach is taught in first year engineering.

-Original Message-
From: Brent Kimberley
Sent: Thursday, February 15, 2024 12:10 PM
To: kerberos@mit.edu; k...@cmf.nrl.navy.mil
Subject: RE: Protocol benchmarking / auditing inquiry

Ken.
The term Frame of Reference is a Cyber Physical system (CPS) term.

For those who work in the cyber subset, the term is "interface".

Regardless of what you call it.

You take the system diagram and evaluate using each major interface or Frame of 
Reference.

The STIG or CIS benchmark is just one of the interfaces evaluated.


-

>Minor comment the CIS Benchmark appears to have been written from the
>system administrator's frame of reference - not the network frame of
>reference (FoR).  Typically, each frame of reference (FoR) needs to be
>audited.  Hence the need for automation.

I can only say this:

- I've been doing Kerberos for a few decades (but I'm certainly not the
  person with the most Kerberos experience on this list).
- I've done a ton of security accreditation work at my $DAYJOB, which
  also involves Kerberos.  As part of the accrediation work we (and
  others) do automated scanning that includes the Kerberos servers
  and this seems to satisfy the powers that be.  Some of the scanning
  seems to detect Kerberos but I am unclear how much it actually checks
  for other than "Kerberos is found".
- I've used the aforementioned CIS Benchmark.
- I really have no clue what you mean by "frame of reference" in this
  context, and this corresponds to no security accreditation or auditing
  requirements I have ever encountered so I cannot provide any
  suggestions; I'm really unclear what you are asking for.

--Ken

-Original Message-
From: Brent Kimberley
Sent: Wednesday, February 14, 2024 3:24 PM
To: Christopher D. Clausen ; kerberos@mit.edu
Subject: RE: Protocol benchmarking / auditing inquiry

Minor comment the CIS Benchmark appears to have been written from the system 
administrator's frame of reference - not the network frame of reference (FoR).
Typically, each frame of reference (FoR) needs to be audited.  Hence the need 
for automation.

-Original Message-
From: Christopher D. Clausen 
Sent: Wednesday, February 14, 2024 2:10 PM
To: Brent Kimberley ; kerberos@mit.edu
Subject: Re: Protocol benchmarking / auditing inquiry

[You don't often get email from cclau...@acm.org. Learn why this is important 
at https://aka.ms/LearnAboutSenderIdentification ]

I have used this as a guide, but I think MIT Kerberos version 1.10 is the 
latest available:
https://www.cisecurity.org/benchmark/mit_kerberos

Not sure if this is what you are looking for or not.

< Preferably something smaller and more focused than nmap or OpenSCAP. 



> > > >
> From: Brent Kimberley
> Sent: Wednesday, February 14, 2024 12:44 PM
> To: kerberos@mit.edu
> Subject: Protocol benchmarking / auditing inquiry
>
> Hi.
> Can anyone point me to some methods to benchmark and/or audit Kerberos v5?
>
> For example, SSH:
> Manual
>Read the RFCs and specs.
>Semi-automatic.
>jtesta/ssh-audit: SSH server & client security 
> auditing (banner, key exchange, encryption, mac, compression, compatibility, 
> security, etc) (github.com)
> Automatic
>SSH Configuration Auditor
> (ssh-audit.com) tps%3A%2F%2Fwww.ssh-audit.com%2F=05%7C02%7CBrent.Kimberley%40Durh
> am.ca%7C8eddde16708448e6cdb008dc2d907d49%7C52d7c9c2d54941b69b1f9da198d
> c3f16%7C0%7C0%7C638435345797172606%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4
> wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C
> data=ydwY2y5%2FxuZxJavbNQw877yOmuFuVo3DktJr%2FdFA05A%3D=0>
>
>
> TLS example upon request.

THIS MESSAGE IS FOR THE USE OF THE INTENDED RECIPIENT(S) ONLY AND MAY CONTAIN 
INFORMATION THAT IS PRIVILEGED, PROPRIETARY, CONFIDENTIAL, AND/OR EXEMPT FROM 
DISCLOSURE UNDER ANY RELEVANT PRIVACY LEGISLATION. No rights to any privilege 
have been waived. If you are not the intended recipient, you are hereby 
notified that any review, re-transmission, dissemination, distribution, 
copying, conversion to hard copy, taking of action in reliance on or other use 
of this communication is strictly prohibited. If you are not the intended 
recipient and have received this message in error, please notify me by return 
e-mail and delete or destroy all copies of this message.


Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

RE: Protocol benchmarking / auditing inquiry

[Brent Kimberley via Kerberos]

Ken.
The term Frame of Reference is a Cyber Physical system (CPS) term.

For those who work in the cyber subset, the term is "interface".

Regardless of what you call it.

You take the system diagram and evaluate using each major interface or Frame of 
Reference.

The STIG or CIS benchmark is just one of the interfaces evaluated.


-

>Minor comment the CIS Benchmark appears to have been written from the
>system administrator's frame of reference - not the network frame of
>reference (FoR).  Typically, each frame of reference (FoR) needs to be
>audited.  Hence the need for automation.

I can only say this:

- I've been doing Kerberos for a few decades (but I'm certainly not the
  person with the most Kerberos experience on this list).
- I've done a ton of security accreditation work at my $DAYJOB, which
  also involves Kerberos.  As part of the accrediation work we (and
  others) do automated scanning that includes the Kerberos servers
  and this seems to satisfy the powers that be.  Some of the scanning
  seems to detect Kerberos but I am unclear how much it actually checks
  for other than "Kerberos is found".
- I've used the aforementioned CIS Benchmark.
- I really have no clue what you mean by "frame of reference" in this
  context, and this corresponds to no security accreditation or auditing
  requirements I have ever encountered so I cannot provide any
  suggestions; I'm really unclear what you are asking for.

--Ken

-Original Message-
From: Brent Kimberley
Sent: Wednesday, February 14, 2024 3:24 PM
To: Christopher D. Clausen ; kerberos@mit.edu
Subject: RE: Protocol benchmarking / auditing inquiry

Minor comment the CIS Benchmark appears to have been written from the system 
administrator's frame of reference - not the network frame of reference (FoR).
Typically, each frame of reference (FoR) needs to be audited.  Hence the need 
for automation.

-Original Message-
From: Christopher D. Clausen 
Sent: Wednesday, February 14, 2024 2:10 PM
To: Brent Kimberley ; kerberos@mit.edu
Subject: Re: Protocol benchmarking / auditing inquiry

[You don't often get email from cclau...@acm.org. Learn why this is important 
at https://aka.ms/LearnAboutSenderIdentification ]

I have used this as a guide, but I think MIT Kerberos version 1.10 is the 
latest available:
https://www.cisecurity.org/benchmark/mit_kerberos

Not sure if this is what you are looking for or not.

< Preferably something smaller and more focused than nmap or OpenSCAP. 


> > >
> From: Brent Kimberley
> Sent: Wednesday, February 14, 2024 12:44 PM
> To: kerberos@mit.edu
> Subject: Protocol benchmarking / auditing inquiry
>
> Hi.
> Can anyone point me to some methods to benchmark and/or audit Kerberos v5?
>
> For example, SSH:
> Manual
>Read the RFCs and specs.
>Semi-automatic.
>jtesta/ssh-audit: SSH server & client security 
> auditing (banner, key exchange, encryption, mac, compression, compatibility, 
> security, etc) (github.com)
> Automatic
>SSH Configuration Auditor
> (ssh-audit.com) tps%3A%2F%2Fwww.ssh-audit.com%2F=05%7C02%7CBrent.Kimberley%40Durh
> am.ca%7C8eddde16708448e6cdb008dc2d907d49%7C52d7c9c2d54941b69b1f9da198d
> c3f16%7C0%7C0%7C638435345797172606%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4
> wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C
> data=ydwY2y5%2FxuZxJavbNQw877yOmuFuVo3DktJr%2FdFA05A%3D=0>
>
>
> TLS example upon request.

THIS MESSAGE IS FOR THE USE OF THE INTENDED RECIPIENT(S) ONLY AND MAY CONTAIN 
INFORMATION THAT IS PRIVILEGED, PROPRIETARY, CONFIDENTIAL, AND/OR EXEMPT FROM 
DISCLOSURE UNDER ANY RELEVANT PRIVACY LEGISLATION. No rights to any privilege 
have been waived. If you are not the intended recipient, you are hereby 
notified that any review, re-transmission, dissemination, distribution, 
copying, conversion to hard copy, taking of action in reliance on or other use 
of this communication is strictly prohibited. If you are not the intended 
recipient and have received this message in error, please notify me by return 
e-mail and delete or destroy all copies of this message.


Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

RE: Protocol benchmarking / auditing inquiry

[Brent Kimberley via Kerberos]

Minor comment the CIS Benchmark appears to have been written from the system 
administrator's frame of reference - not the network frame of reference (FoR).
Typically, each frame of reference (FoR) needs to be audited.  Hence the need 
for automation.

-Original Message-
From: Christopher D. Clausen 
Sent: Wednesday, February 14, 2024 2:10 PM
To: Brent Kimberley ; kerberos@mit.edu
Subject: Re: Protocol benchmarking / auditing inquiry

[You don't often get email from cclau...@acm.org. Learn why this is important 
at https://aka.ms/LearnAboutSenderIdentification ]

I have used this as a guide, but I think MIT Kerberos version 1.10 is the 
latest available:
https://www.cisecurity.org/benchmark/mit_kerberos

Not sure if this is what you are looking for or not.

< Preferably something smaller and more focused than nmap or OpenSCAP. 

> >
> From: Brent Kimberley
> Sent: Wednesday, February 14, 2024 12:44 PM
> To: kerberos@mit.edu
> Subject: Protocol benchmarking / auditing inquiry
>
> Hi.
> Can anyone point me to some methods to benchmark and/or audit Kerberos v5?
>
> For example, SSH:
> Manual
>Read the RFCs and specs.
>Semi-automatic.
>jtesta/ssh-audit: SSH server & client security 
> auditing (banner, key exchange, encryption, mac, compression, compatibility, 
> security, etc) (github.com)
> Automatic
>SSH Configuration Auditor
> (ssh-audit.com) tps%3A%2F%2Fwww.ssh-audit.com%2F=05%7C02%7CBrent.Kimberley%40Durh
> am.ca%7C8eddde16708448e6cdb008dc2d907d49%7C52d7c9c2d54941b69b1f9da198d
> c3f16%7C0%7C0%7C638435345797172606%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4
> wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C
> data=ydwY2y5%2FxuZxJavbNQw877yOmuFuVo3DktJr%2FdFA05A%3D=0>
>
>
> TLS example upon request.

THIS MESSAGE IS FOR THE USE OF THE INTENDED RECIPIENT(S) ONLY AND MAY CONTAIN 
INFORMATION THAT IS PRIVILEGED, PROPRIETARY, CONFIDENTIAL, AND/OR EXEMPT FROM 
DISCLOSURE UNDER ANY RELEVANT PRIVACY LEGISLATION. No rights to any privilege 
have been waived. If you are not the intended recipient, you are hereby 
notified that any review, re-transmission, dissemination, distribution, 
copying, conversion to hard copy, taking of action in reliance on or other use 
of this communication is strictly prohibited. If you are not the intended 
recipient and have received this message in error, please notify me by return 
e-mail and delete or destroy all copies of this message.


Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

RE: Protocol benchmarking / auditing inquiry

[Brent Kimberley via Kerberos]

To the best of my knowledge" Krb5i provides integrity whereas Krb5p provides 
confidentiality, integrity, and replay protection.

"Walk tool" finding could map to a radar chart.

In other news, Matthew Palko plans to modernize authentication.
https://techcommunity.microsoft.com/t5/windows-it-pro-blog/the-evolution-of-windows-authentication/ba-p/3926848


-Original Message-
From: Brent Kimberley
Sent: Wednesday, February 14, 2024 2:20 PM
To: Christopher D. Clausen ; kerberos@mit.edu
Subject: RE: Protocol benchmarking / auditing inquiry

Hi Christopher.

Yes.  You are correct.  Peer reviewed installation readiness documents like the 
CIS MIT benchmark are a good "first step."

I was asking pointers to the rest of the lifecycle suite - specifically "walk".

Crawl
=
Installation readiness documents
e.g., CIS MIT Kerberos Benchmark

Walk

Focused applications.

Application which can connect to a client or a server and emit:
Enabled ciphers.
Enabled MACs.
Enabled Kerberos modes (krb5, krb5i, krb5p)
etc.

Background: most sites appear to be misconfigured.

Run

A focused service.


-Original Message-
From: Christopher D. Clausen 
Sent: Wednesday, February 14, 2024 2:10 PM
To: Brent Kimberley ; kerberos@mit.edu
Subject: Re: Protocol benchmarking / auditing inquiry

[You don't often get email from cclau...@acm.org. Learn why this is important 
at https://aka.ms/LearnAboutSenderIdentification ]

I have used this as a guide, but I think MIT Kerberos version 1.10 is the 
latest available:
https://www.cisecurity.org/benchmark/mit_kerberos

Not sure if this is what you are looking for or not.

< Preferably something smaller and more focused than nmap or OpenSCAP. 

> >
> From: Brent Kimberley
> Sent: Wednesday, February 14, 2024 12:44 PM
> To: kerberos@mit.edu
> Subject: Protocol benchmarking / auditing inquiry
>
> Hi.
> Can anyone point me to some methods to benchmark and/or audit Kerberos v5?
>
> For example, SSH:
> Manual
>Read the RFCs and specs.
>Semi-automatic.
>jtesta/ssh-audit: SSH server & client security 
> auditing (banner, key exchange, encryption, mac, compression, compatibility, 
> security, etc) (github.com)
> Automatic
>SSH Configuration Auditor
> (ssh-audit.com) tps%3A%2F%2Fwww.ssh-audit.com%2F=05%7C02%7CBrent.Kimberley%40Durh
> am.ca%7C8eddde16708448e6cdb008dc2d907d49%7C52d7c9c2d54941b69b1f9da198d
> c3f16%7C0%7C0%7C638435345797172606%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4
> wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C
> data=ydwY2y5%2FxuZxJavbNQw877yOmuFuVo3DktJr%2FdFA05A%3D=0>
>
>
> TLS example upon request.

THIS MESSAGE IS FOR THE USE OF THE INTENDED RECIPIENT(S) ONLY AND MAY CONTAIN 
INFORMATION THAT IS PRIVILEGED, PROPRIETARY, CONFIDENTIAL, AND/OR EXEMPT FROM 
DISCLOSURE UNDER ANY RELEVANT PRIVACY LEGISLATION. No rights to any privilege 
have been waived. If you are not the intended recipient, you are hereby 
notified that any review, re-transmission, dissemination, distribution, 
copying, conversion to hard copy, taking of action in reliance on or other use 
of this communication is strictly prohibited. If you are not the intended 
recipient and have received this message in error, please notify me by return 
e-mail and delete or destroy all copies of this message.


Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

RE: Protocol benchmarking / auditing inquiry

[Brent Kimberley via Kerberos]

Hi Christopher.

Yes.  You are correct.  Peer reviewed installation readiness documents like the 
CIS MIT benchmark are a good "first step."

I was asking pointers to the rest of the lifecycle suite - specifically "walk".

Crawl
=
Installation readiness documents
e.g., CIS MIT Kerberos Benchmark

Walk

Focused applications.

Application which can connect to a client or a server and emit:
Enabled ciphers.
Enabled MACs.
Enabled Kerberos modes (krb5, krb5i, krb5p)
etc.

Background: most sites appear to be misconfigured.

Run

A focused service.


-Original Message-
From: Christopher D. Clausen 
Sent: Wednesday, February 14, 2024 2:10 PM
To: Brent Kimberley ; kerberos@mit.edu
Subject: Re: Protocol benchmarking / auditing inquiry

[You don't often get email from cclau...@acm.org. Learn why this is important 
at https://aka.ms/LearnAboutSenderIdentification ]

I have used this as a guide, but I think MIT Kerberos version 1.10 is the 
latest available:
https://www.cisecurity.org/benchmark/mit_kerberos

Not sure if this is what you are looking for or not.

< Preferably something smaller and more focused than nmap or OpenSCAP. 

> >
> From: Brent Kimberley
> Sent: Wednesday, February 14, 2024 12:44 PM
> To: kerberos@mit.edu
> Subject: Protocol benchmarking / auditing inquiry
>
> Hi.
> Can anyone point me to some methods to benchmark and/or audit Kerberos v5?
>
> For example, SSH:
> Manual
>Read the RFCs and specs.
>Semi-automatic.
>jtesta/ssh-audit: SSH server & client security 
> auditing (banner, key exchange, encryption, mac, compression, compatibility, 
> security, etc) (github.com)
> Automatic
>SSH Configuration Auditor
> (ssh-audit.com) tps%3A%2F%2Fwww.ssh-audit.com%2F=05%7C02%7CBrent.Kimberley%40Durh
> am.ca%7C8eddde16708448e6cdb008dc2d907d49%7C52d7c9c2d54941b69b1f9da198d
> c3f16%7C0%7C0%7C638435345797172606%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4
> wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C
> data=ydwY2y5%2FxuZxJavbNQw877yOmuFuVo3DktJr%2FdFA05A%3D=0>
>
>
> TLS example upon request.

THIS MESSAGE IS FOR THE USE OF THE INTENDED RECIPIENT(S) ONLY AND MAY CONTAIN 
INFORMATION THAT IS PRIVILEGED, PROPRIETARY, CONFIDENTIAL, AND/OR EXEMPT FROM 
DISCLOSURE UNDER ANY RELEVANT PRIVACY LEGISLATION. No rights to any privilege 
have been waived. If you are not the intended recipient, you are hereby 
notified that any review, re-transmission, dissemination, distribution, 
copying, conversion to hard copy, taking of action in reliance on or other use 
of this communication is strictly prohibited. If you are not the intended 
recipient and have received this message in error, please notify me by return 
e-mail and delete or destroy all copies of this message.


Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

RE: Protocol benchmarking / auditing inquiry

[Brent Kimberley via Kerberos]

Preferably something smaller and more focused than nmap or OpenSCAP. 

From: Brent Kimberley
Sent: Wednesday, February 14, 2024 12:44 PM
To: kerberos@mit.edu
Subject: Protocol benchmarking / auditing inquiry

Hi.
Can anyone point me to some methods to benchmark and/or audit Kerberos v5?

For example, SSH:
   Manual
  Read the RFCs and specs.
  Semi-automatic.
  jtesta/ssh-audit: SSH server & client security 
auditing (banner, key exchange, encryption, mac, compression, compatibility, 
security, etc) (github.com)
   Automatic
  SSH Configuration Auditor 
(ssh-audit.com)


TLS example upon request.

THIS MESSAGE IS FOR THE USE OF THE INTENDED RECIPIENT(S) ONLY AND MAY CONTAIN 
INFORMATION THAT IS PRIVILEGED, PROPRIETARY, CONFIDENTIAL, AND/OR EXEMPT FROM 
DISCLOSURE UNDER ANY RELEVANT PRIVACY LEGISLATION. No rights to any privilege 
have been waived. If you are not the intended recipient, you are hereby 
notified that any review, re-transmission, dissemination, distribution, 
copying, conversion to hard copy, taking of action in reliance on or other use 
of this communication is strictly prohibited. If you are not the intended 
recipient and have received this message in error, please notify me by return 
e-mail and delete or destroy all copies of this message.

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Protocol benchmarking / auditing inquiry

[Brent Kimberley via Kerberos]

Hi.
Can anyone point me to some methods to benchmark and/or audit Kerberos v5?

For example, SSH:
   Manual
  Read the RFCs and specs.
  Semi-automatic.
  jtesta/ssh-audit: SSH server & client security 
auditing (banner, key exchange, encryption, mac, compression, compatibility, 
security, etc) (github.com)
   Automatic
  SSH Configuration Auditor 
(ssh-audit.com)


TLS example upon request.

THIS MESSAGE IS FOR THE USE OF THE INTENDED RECIPIENT(S) ONLY AND MAY CONTAIN 
INFORMATION THAT IS PRIVILEGED, PROPRIETARY, CONFIDENTIAL, AND/OR EXEMPT FROM 
DISCLOSURE UNDER ANY RELEVANT PRIVACY LEGISLATION. No rights to any privilege 
have been waived. If you are not the intended recipient, you are hereby 
notified that any review, re-transmission, dissemination, distribution, 
copying, conversion to hard copy, taking of action in reliance on or other use 
of this communication is strictly prohibited. If you are not the intended 
recipient and have received this message in error, please notify me by return 
e-mail and delete or destroy all copies of this message.

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos