[14488] in Kerberos
Re: un-kerberized clients
daemon@ATHENA.MIT.EDU (Simon Wilkinson)
Mon May 28 17:59:03 2001
From: sxw@dcs.ed.ac.uk (Simon Wilkinson)
Date: 28 May 2001 21:38:16 GMT
Message-ID: <9eugg8$sdc$1@kane.dcs.ed.ac.uk>
To: kerberos@MIT.EDU
Russell P. Sutherland (russ@madhaus.cns.utoronto.ca) wrote:
: I am beginning a project to bring kerberos into a campus wide
: authentication scheme.
: Most of our current server-client applications use a WWW browser
: as the client.
I've been looking into this recently as well.
: 1. What are the options currently available to kerberize WWW browsers?
The options seem to be
a) Use the user's Kerberos credentials to obtain X509 credentials, which
can then be used in an SSL session
b) Bolt Kerberos authentication into the HTTP authentication exchange
c) Use one of the mechanisms for adding Kerberos to the SSL handshake
For option a, I've been evaluating the kx509 code from CITI at UMich
for use locally. This provides a means for users to obtain short lived
X509 certificates upon presentation of valid Kerberos credentials.
These can then be intergrated directly with IE on Windows, or
incorporated into Netscape via a PKCS#11 module. The system appears to
work well, although fitting it into a wider PKI may be difficult. I've
made a number of alterations to the code to generalise the
configuration and build so that it will work in a wider environment,
and to remove some local depenenices. I'm feeding these patches back.
kx509 is available from
http://www.citi.umich.edu/projects/kerb_pki/index.html
Option b seems (from recent posts) to be what Microsoft are using in
Windows 2000. They seem to be using some form of SPNEGO. There are
also Apache modules and very old patches for Mosiac, to support
another means of encoding Kerberos authentication.
Option c is currently under discussion in the TLS working group. There
is an rfc, 2712, which describes one means of doing this. OpenSSL has
an implementation, and I produced a proof of concept implementation
for Mozilla's NSS. However, 2712 has a number of problems (not least
of which is that it is very hard to produce interoperable
implementations based on its descriptions.) There is a new draft -
draft-ietf-tls-kerb-00 - which appears to be more promising, although
more complex to implement. I'll probably continue work on implementing
this in NSS, although actually getting it into the Mozilla browser will
probably be considerably harder.
The Bugzilla bug report concerning this is at:
http://bugzilla.mozilla.org/show_bug.cgi?id=61932
: 2. Is it possible for a server/principal to access the KDC and gain
: sufficient information to authenticate an "non-kerberized" request from
: a client (say a WWW browser using a SSL session)?
You can do this using the kx509 code outlined above.
Hope this helps, feel free to email me if you have further questions or
comments.
Cheers,
Simon.
