[20268] in Kerberos_V5_Development
Adding support for optimistic preauth to kinit
daemon@ATHENA.MIT.EDU (Ken Hornstein)
Sat Apr 3 20:09:23 2021
Message-ID: <202104040005.13405rva016717@hedwig.cmf.nrl.navy.mil>
From: Ken Hornstein <kenh@cmf.nrl.navy.mil>
To: krbdev@mit.edu
MIME-Version: 1.0
Date: Sat, 03 Apr 2021 20:09:06 -0400
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
So during some recent testing, I realized that there is one bit of
functionality in kinit that is missing; the ability to set the optimistic
preauth list. By this, I mean a list of preauthentication types to try
first instead of falling back to a list based on the list from the
"preauth required" error code.
Why would you want to do this? Well, here's what we use that for:
- We have users that have a hardware preauth configured, but not required.
This allows them to use their password to access a subset of site
resources but optionally use their hardware token to access resources that
require the extra security of a hardware token.
- We have users that have multiple tokens configured (typically this is
a smartcard that is used with PKINIT and a one-time token that uses SAM2).
There are a number of times where you might want to use one or the
other (if one is non-functional, or you can't use a smartcard driver).
>From an architectural standpoint, the hard work is already done; the
library supports this via an already-exposed API in the get_init_creds
interface (krb5_get_init_creds_opt_set_preauth_list()). It's just
that kinit has no way to set this list.
What I was thinking was a new flag lets you add preauth types to the
optimistic preauth list. I'm not sure what letter makes sense as a lot
are already taken. Maybe -U? I have no preference here. What this
would look like would be:
% kinit -U pkinit -U sam2 -U 191 user@REALM
The idea here being you could pick from a small list of symbolic
names of preauth types, and if that wasn't sufficient you could add
a number to capture future types. You could add multiple options to
have multiple entries in the preauth list. I think this is relatively
straightforward to implement; what do people think of this idea? I'd be
glad to submit the code for it.
--Ken
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
