Automatically randomizing principal keys (in preauth plugin)
Greg Hudson
ghudson at MIT.EDU
Wed Mar 23 13:42:14 EDT 2011
On Wed, 2011-03-23 at 07:51 -0400, Yair Yarom wrote:
> 1. Have the preauth plugin check if there's a key available, and if not
> create a random one and insert it into the database. Is this
> possible? If so how and where in the plugin should I do it?
I think it's possible, just by making krb5_db_* calls in the verify_proc
with the provided context. It doesn't seem very clean, but I can't
think of a reason why it wouldn't work.
> 2. Have all users have the same static (random) key. Here the question
> is how insecure is it? i.e. I force the use of my preauth plugin as
> it's the only one installed that provides HW authentication
> (allegedly). So is this key actually used anywhere?
I think you'd want to set the KRB5_KDB_DISALLOW_SVR flag on the user
principals so people couldn't print service tickets for them. Beyond
that, I can't think of a risk, although that doesn't mean there isn't a
risk.
> Any other suggestion would be appreciated.
Depending on your deployment requirements, it might be possible to alter
the KDC to allow principals with no keys. I think we would need to
create a new preauth plugin flag for "I don't need an input reply key"
to avoid incompatibilities with existing plugins.
More information about the krbdev
mailing list