Re: [Freeipa-devel] Anonymous PKINIT and kdcproxy
On Mon, 2016-12-12 at 09:42 +0100, Christian Heimes wrote: > Hi Simo, > > I'm wondering if we need to change kdcproxy for anon pkinit. What kind > of Kerberos requests are performed by anon pkinit and to establish a > FAST tunnel? python-kdcproxy allows only request types AS-REQ, TGS-REQ > and AP-REQ+KRB-PRV. Responses are not filtered. No changes needed, we only use AS and TGS request types. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Anonymous PKINIT and kdcproxy
On 2016-12-12 10:37, Alexander Bokovoy wrote: > On ma, 12 joulu 2016, Alexander Bokovoy wrote: >> On ma, 12 joulu 2016, Christian Heimes wrote: >>> On 2016-12-12 09:54, Alexander Bokovoy wrote: On ma, 12 joulu 2016, Christian Heimes wrote: > Hi Simo, > > I'm wondering if we need to change kdcproxy for anon pkinit. What kind > of Kerberos requests are performed by anon pkinit and to establish a > FAST tunnel? python-kdcproxy allows only request types AS-REQ, TGS-REQ > and AP-REQ+KRB-PRV. Responses are not filtered. Anonymous principal as configured in FreeIPA can only be used to obtain a TGT, nothing else. See https://tools.ietf.org/html/rfc6112 for a spec definition. >>> >>> That doesn't answer my question for me. Or does 'only TGT' imply that >>> request types are limited to AS-REQ and TGS-REQ? RFC 6112 just talks >>> about the two request types. >> You can only obtain a TGT and this TGT can only be used for FAST >> channel. You cannot obtain any service ticket with this TGT. > To close the loop, no changes in kdcproxy are needed because PKINIT is a > pre-authentication scheme and it works just fine with kdcproxy as it is. > I just tested this. Alexander, thanks for your tests! I have created an issue to add test cases to kdcproxy to ensure that we stay compatible with PKINIT, https://github.com/latchset/kdcproxy/issues/23 Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Anonymous PKINIT and kdcproxy
On ma, 12 joulu 2016, Alexander Bokovoy wrote: On ma, 12 joulu 2016, Christian Heimes wrote: On 2016-12-12 09:54, Alexander Bokovoy wrote: On ma, 12 joulu 2016, Christian Heimes wrote: Hi Simo, I'm wondering if we need to change kdcproxy for anon pkinit. What kind of Kerberos requests are performed by anon pkinit and to establish a FAST tunnel? python-kdcproxy allows only request types AS-REQ, TGS-REQ and AP-REQ+KRB-PRV. Responses are not filtered. Anonymous principal as configured in FreeIPA can only be used to obtain a TGT, nothing else. See https://tools.ietf.org/html/rfc6112 for a spec definition. That doesn't answer my question for me. Or does 'only TGT' imply that request types are limited to AS-REQ and TGS-REQ? RFC 6112 just talks about the two request types. You can only obtain a TGT and this TGT can only be used for FAST channel. You cannot obtain any service ticket with this TGT. To close the loop, no changes in kdcproxy are needed because PKINIT is a pre-authentication scheme and it works just fine with kdcproxy as it is. I just tested this. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Anonymous PKINIT and kdcproxy
On 2016-12-12 09:54, Alexander Bokovoy wrote: > On ma, 12 joulu 2016, Christian Heimes wrote: >> Hi Simo, >> >> I'm wondering if we need to change kdcproxy for anon pkinit. What kind >> of Kerberos requests are performed by anon pkinit and to establish a >> FAST tunnel? python-kdcproxy allows only request types AS-REQ, TGS-REQ >> and AP-REQ+KRB-PRV. Responses are not filtered. > Anonymous principal as configured in FreeIPA can only be used to obtain > a TGT, nothing else. > > See https://tools.ietf.org/html/rfc6112 for a spec definition. That doesn't answer my question for me. Or does 'only TGT' imply that request types are limited to AS-REQ and TGS-REQ? RFC 6112 just talks about the two request types. Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Anonymous PKINIT and kdcproxy
On ma, 12 joulu 2016, Christian Heimes wrote: Hi Simo, I'm wondering if we need to change kdcproxy for anon pkinit. What kind of Kerberos requests are performed by anon pkinit and to establish a FAST tunnel? python-kdcproxy allows only request types AS-REQ, TGS-REQ and AP-REQ+KRB-PRV. Responses are not filtered. Anonymous principal as configured in FreeIPA can only be used to obtain a TGT, nothing else. See https://tools.ietf.org/html/rfc6112 for a spec definition. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] Anonymous PKINIT and kdcproxy
Hi Simo, I'm wondering if we need to change kdcproxy for anon pkinit. What kind of Kerberos requests are performed by anon pkinit and to establish a FAST tunnel? python-kdcproxy allows only request types AS-REQ, TGS-REQ and AP-REQ+KRB-PRV. Responses are not filtered. Regards, Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code