Add canonical client principal to PAC #902
Conversation
lhoward
force-pushed
the
lukeh/canon-name-pac
branch
2 times, most recently
from
5d45cc1
to
f1e456a
Compare
lhoward
force-pushed
the
lukeh/canon-name-pac
branch
2 times, most recently
from
a7521cf
to
0686b52
Compare
lhoward
force-pushed
the
lukeh/canon-name-pac
branch
8 times, most recently
from
67aff24
to
c1b82f6
Compare
|
cc @josephsutton1 |
lhoward
force-pushed
the
lukeh/canon-name-pac
branch
11 times, most recently
from
e618149
to
73a8447
Compare
lhoward
force-pushed
the
lukeh/canon-name-pac
branch
2 times, most recently
from
fc1d314
to
d9ddd62
Compare
lhoward
force-pushed
the
lukeh/canon-name-pac
branch
4 times, most recently
from
8f4cdb5
to
8ea73e5
Compare
lhoward
force-pushed
the
lukeh/canon-name-pac
branch
from
8ea73e5
to
65255aa
Compare
lib/krb5/krb5.conf.5
Outdated
| @@ -518,6 +518,10 @@ If this flag is true, then all application protocol authentication | |||
| requests will be flagged to indicate that the application supports | |||
| channel bindings when operating over a secure channel. | |||
| The default value is false. | |||
| .It Li gss_canonicalize_source_name = Va boolean | |||
There was a problem hiding this comment.
Why default to false? Why not true? What might break? Why have this be configurable? Why is this in GSS and not in the rd_req side in lib/krb5? Wouldn't we want this to be used for non-GSS apps? (Well, we don't want non-GSS krb5 apps, but that's another story.)
If this should move to lib/krb5, maybe rename this param to use_client_name_from_pac.
There was a problem hiding this comment.
Also, with the Principal decoration I'm adding, maybe we could stuff the canonical and alias names in there and provide an accessor (name attributes).
There was a problem hiding this comment.
Why default to false? Why not true? What might break? Why have this be configurable? Why is this in GSS and not in the
rd_reqside inlib/krb5? Wouldn't we want this to be used for non-GSS apps? (Well, we don't want non-GSS krb5 apps, but that's another story.)If this should move to
lib/krb5, maybe rename this param touse_client_name_from_pac.
Can move to lib/krb5, good idea. Defaulting to TRUE will change behaviour where aliases are used without the canonicalize flag which would break @jaltman's use case.
There was a problem hiding this comment.
Also, note, because of the rd_req API, this will involve replacing ticket->client with the canonical name from the PAC; the ticket client will be lost forever.
|
LGTM except for the config matter (see commentary). |
If the UPN_DNS_INFO buffer in the Windows PAC contains a canonical principal name, use it in lieu of the ticket client name to determine the GSS-API initiator name.
Use the UPN_DNS_INFO buffer of the PAC to include the canonical principal name. Arguably we should use AD-LOGIN-ALIAS as defined in RFC6806, but we may not always know all the principal's aliases, and this approach allows us to share application service logic with Windows.
lhoward
force-pushed
the
lukeh/canon-name-pac
branch
from
65255aa
to
6912ccf
Compare
Add PAC_ATTRIBUTES_INFO to the PAC. This info buffer indicates whether the user explicitly requested a PAC be present or absent. Note: this changes the windc plugin ABI.
Note the selected pre-authentication mechanism, and add a callback to allow the pre-authentication mechanism to update the PAC immediately prior to signing.
Update the sample GSS pre-authentication authorizer plugin to allow the PAC to be pinned to the authenticating user's SID. There is still a race condition between the time the user authenticates and the time the SID is looked up via LDAP, but it should be sufficient as an example; if more security is required, then users should be enrolled with their SIDs.
lhoward
force-pushed
the
lukeh/canon-name-pac
branch
from
6912ccf
to
88d4c27
Compare
KDC and libkrb5 support for the UPN_DNS_INFO_EX PAC info buffer, which contains the canonical client name from the TGT.