On Tue, Nov 6, 2018 at 9:18 PM Grant Taylor via TUHS <tuhs(a)minnie.tuhs.org>
wrote:
On 11/06/2018 12:07 AM, Mantas Mikulėnas wrote:
These days the modification generally consists of
pam_krb5 added to the
system's PAM configuration.
Hum.... I need to do some reading on that.
And similarly – in other protocols (IMAP, SMTP,
IRC, the same LDAP) one
can authenticate a session via SASL, which usually wraps GSSAPI, which
usually wraps Kerberos.
*nod*
Complicating things is that implementations can choose to bypass SASL
and do the GSSAPI interaction directly. Or take things even further and
do the Kerberos interaction directly.
Though from what I've seen on their mailing list, MIT Kerberos developers
seem to recommend using GSSAPI at minimum, rather than the raw Kerberos
APIs.
Yet another reason why all these things are complicated. So many
choices that impact other choices in the same problem domain.
You're right, it's primarily an
authentication protocol.
:-)
But due to the way it works, it *also* negotiates
a 'session key'
between
the user and the service, which then may be used
for transport
encryption
(sealing).
Does that mean that the protocols would need to retain the session key
and use it for their other non-Kerberos specific protocols? I.e. the
rsh daemon would need to use the session key to encrypt / decrypt the
rsh data, after and independent of the Kerberos authentication process.
Well, they can use it, but they don't have to. It's up to the developer in
the end. The earlier kerberized protocols did, because they didn't have any
other encryption layer. Most recent protocols establish encryption in any
case (be it TLS or SSHv2 or something else) so they just don't bother
calling the SASL (or GSSAPI) seal functions.
It's not commonly used as far as I know –
most new protocols already
have their own security layers such as TLS or SSH.
ACK
I worry that other encryption protocols / methods have far surpassed
Kerberos' encryption capability / strength.
Kerberos does include modern enctypes (such as aes128/aes256), but from
what *little* I understand about this part, it's still not as good as the
modern protocols. (E.g. complete lack of PFS – the same client or server
always uses the same master key until it's manually rotated...)
On the bright side, the *authentication* of Kerberos is solid as far as
I've heard. (Which, again I know very little about this part, but I do
remember someone saying that it has an actual security proof, as well as
being decently quantum-resistant.)
Actually LDAP is the only still-widespread
protocol that comes to mind
whose implementations frequently make use of Kerberos-based encryption
(via GSSAPI).
O.o‽
This sounds like it would be independent of LDAP over SSL (TCP 636).
Would this Kerberos specified encryption be run over the standard LDAP
port (TCP 389)?
Usually, yes.
(There is no technical reason why it couldn't run inside TLS, it's just
redundant – OpenLDAP doesn't mind but e.g. Active Directory explicitly
refuses to use both encryption layers at once. If you use TLS, you can
still use GSSAPI auth, but it insists that you turn off the GSSAPI
signing/sealing.)
This is especially common in Active Directory
environments, where the
DCs might not have a valid TLS certificate.
O.o‽
I'm going to have to go pick my AD guru's brain after reading that.
(I seem to recall kerberized Telnet didn't
survive because it was
limited to DES/3DES for an odd reason. Didn't quite understand why that
was the case, though.)
#questionsQuestions
(This reminds me that I've noticed at least one of the MIT Kerberos
developers here in TUHS, who would surely know more about this than I've
gathered through barely few years of messing around.)
--
Mantas Mikulėnas