[39293] in Kerberos
Re: RFC 4121 & acceptor subkey use in MIC token generation
daemon@ATHENA.MIT.EDU (Simo Sorce)
Fri Oct 27 13:50:10 2023
Message-ID: <48daa6105af9bb8794a0003e75ad7cd3fdf3c9e4.camel@redhat.com>
From: Simo Sorce <simo@redhat.com>
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>, kerberos@mit.edu
Date: Fri, 27 Oct 2023 13:48:26 -0400
In-Reply-To: <202310262157.39QLvb2C012728@hedwig.cmf.nrl.navy.mil>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Thu, 2023-10-26 at 17:57 -0400, Ken Hornstein via Kerberos wrote:
> > > Unfortunately, ANOTHER one of the "fun" rules I live under is,
> > > "Thou
> > > shall have no other PKI than the DoD PKI". And as much as I can
> > > legitimately argue for many of the unusual things that I do, I
> > > can't get
> > > away with that one; [...]
> >
> > A CA that issues short-lived certificates (for keys that might be
> > software keys) is morally equivalent to a Kerberos KDC. You ought
> > to be
> > able to deploy such online CAs that issue only short-lived certs.
>
> You know that. I know that. But remember: "if you're explaining,
> you're losing". When asked I can honestly say, "Kerberos is not
> a PKI" and that's good enough, but I can't say with a straight
> face, "This X.509 CA over here is not a PKI".
>
> > Presumably OpenSSH CAs are a different story because they're not
> > x.509? :)
>
> Strangely enough, I am not aware of anyone in the DoD that uses
> OpenSSH
> CAs (there probably are, I just don't know them). I could see it
> being
> argued both ways. The people I know who use OpenSSH are (a) using
> gssapi-with-mic like us, (b) just using passwords, or (c) using their
> client smartcart key as a key for RSA authentication and they call
> that
> "DOD PKI authentication". Again, you know and I know that isn't
> really
> using PKI certificates, but the people up the chain aren't really
> smart
> enough to understand the distinction; they see that you're using the
> smartcard and that's good enough for them.
>
> > > We _do_ do PKINIT with the DoD PKI today; that is relatively
> > > straightforward with the exception of dealing with certificate
> > > revocation (last time I checked the total size of the DOD CRL
> > > package
> > > was approximately 8 million serial numbers, sigh).
> >
> > Don't you have OCSP responders?
>
> We _do_, it's just a pain to find an OCSP responder that can handle
> that
> many. If the official ones go offline that breaks our KDC so we run
> our
> own locally.
>
> > One of the problems I'm finding is that SSHv2 client
> > implementations are
> > proliferating, and IDEs nowadays tend to come with one, and not one
> > of
> > them supports GSS-KEYEX, though most of them support gssapi-with-
> > mic, so
> > it makes you want to give up on GSS-KEYEX.
>
> Right, part of the problem there is that people want to "use Kerberos
> with ssh", and they don't understand the difference between gssapi-
> with-mic
> and gss-keyex.
Aren't you supposed to use CAC or PIV cards?
You can definitely use openssh clients with PIV cards and avoid
kerberos altogether.
Simo.
--
Simo Sorce,
DE @ RHEL Crypto Team,
Red Hat, Inc
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
