While we were gone. . .Current release (1.13)
Coming soon. . .
Updates from MIT Kerberos
Benjamin [email protected] [email protected]
20 August, 2015
Benjamin Kaduk [email protected] [email protected] Updates from MIT Kerberos
While we were gone. . .Current release (1.13)
Coming soon. . .
While we were gone. . .
Current release (1.13)Security
Coming soon. . .krb5-1.14KfWOn the horizonA bit further off
Benjamin Kaduk [email protected] [email protected] Updates from MIT Kerberos
While we were gone. . .Current release (1.13)
Coming soon. . .
Things you should know about but might have missed
I KRB5_TRACE
I kadmin purgekeys for krbtgt rekeying
I DIR: ccache type and collection-enabled ccaches
I GSS acceptors can wildcard hostname part of host-basedservice
I client keytabs
Benjamin Kaduk [email protected] [email protected] Updates from MIT Kerberos
While we were gone. . .Current release (1.13)
Coming soon. . .
krb5-1.12
Freshly released for EAKC 2014, but a quick recap:
I More plugin interfaces: aname-to-lname, kuserok, host-realm,default-realm
I KDB policy records are more flexible; no refcounts → betterperformance
I Support principals with no long-term keys (e.g., forOTP/PKINIT)
I KDC support for FAST OTP (RFC 6560)
I Improvents to the KEYRING: cache, including collectionsupport
I AES-NI when available
I Experimental KDC audit pluggable interface
Benjamin Kaduk [email protected] [email protected] Updates from MIT Kerberos
While we were gone. . .Current release (1.13)
Coming soon. . .Security
While we were gone. . .
Current release (1.13)Security
Coming soon. . .krb5-1.14KfWOn the horizonA bit further off
Benjamin Kaduk [email protected] [email protected] Updates from MIT Kerberos
While we were gone. . .Current release (1.13)
Coming soon. . .Security
Schedule
I Shortened 10-month release cycle (1 year is normal)
I Released on-schedule October 15, 2014
I Should align better with OS releases (Fedora, Ubuntu, etc.)
I (krb5-1.14 is expected in October 2015)
Benjamin Kaduk [email protected] [email protected] Updates from MIT Kerberos
While we were gone. . .Current release (1.13)
Coming soon. . .Security
krb5-1.13 features
I HTTP(S) transport — MS-KKDCP HTTP proxy
I Hierarchical iprop
I Support for configuring GSS mechanisms via/etc/gss/mech.d/*.conf
I Support for SASL binds in the LDAP KDB backend
I KDC listens on TCP by default
I KCM: cache type for Heimdal (e.g., OS X) compatibility
I Support for unlocked database dumps for the DB2 KDBbackend, to allow the KDC and kadmind to continueprocessing requests during dumps
Benjamin Kaduk [email protected] [email protected] Updates from MIT Kerberos
While we were gone. . .Current release (1.13)
Coming soon. . .Security
Late-breaking news in krb5-1.13
I SPNEGO improvements for out-of tree mechs (e.g., NTLM)
I fix build against libressl
I ksu cleanup
(but maybe you shouldn’t use ksu)
I KDC logging works with redirected stderr
I Incremental improvements to the replay cache performanceand correctness
Benjamin Kaduk [email protected] [email protected] Updates from MIT Kerberos
While we were gone. . .Current release (1.13)
Coming soon. . .Security
Late-breaking news in krb5-1.13
I SPNEGO improvements for out-of tree mechs (e.g., NTLM)
I fix build against libressl
I ksu cleanup (but maybe you shouldn’t use ksu)
I KDC logging works with redirected stderr
I Incremental improvements to the replay cache performanceand correctness
Benjamin Kaduk [email protected] [email protected] Updates from MIT Kerberos
While we were gone. . .Current release (1.13)
Coming soon. . .Security
Late-breaking news in krb5-1.13
I SPNEGO improvements for out-of tree mechs (e.g., NTLM)
I fix build against libressl
I ksu cleanup (but maybe you shouldn’t use ksu)
I KDC logging works with redirected stderr
I Incremental improvements to the replay cache performanceand correctness
Benjamin Kaduk [email protected] [email protected] Updates from MIT Kerberos
While we were gone. . .Current release (1.13)
Coming soon. . .Security
MS-KKDCP
I HTTPS transport, reduces plaintext leakage
I Proxy can in principle filter out bogus requests, and gatewayinto DMZ
I Lets clients talk to KDCs that might otherwise be unreachable
I Kind of like IAKERB, but. . . actually deployed
Benjamin Kaduk [email protected] [email protected] Updates from MIT Kerberos
While we were gone. . .Current release (1.13)
Coming soon. . .Security
replay cache
Some protocols can be designed to not need a replay cache (byusing an acceptor subkey or other key confirmation methods).
For safety and correctness, other protocols need a cache to detectand avoid replay attacks. MIT krb5 supplies such animplementation at the library level, but the implementation is notvery performant.
Is replay cache performance an issue for anyone here? Please talkto us!
Benjamin Kaduk [email protected] [email protected] Updates from MIT Kerberos
While we were gone. . .Current release (1.13)
Coming soon. . .Security
Security Advisories
MITKRB5-SA-2014-001:
I CVE-2014-4345: Buffer overrun in kadmind with LDAPbackend
I cpw -keepold triggered miscounting of array size
MITKRB5-SA-2015-001
I CVE-2014-5352: gss process context token() incorrectly freescontext
I CVE-2014-9421: kadmind doubly frees partial deserializationresults
I CVE-2014-9422: kadmind incorrectly validates server principalname
I CVE-2014-9423: libgssrpc server applications leakuninitialized bytes
Benjamin Kaduk [email protected] [email protected] Updates from MIT Kerberos
While we were gone. . .Current release (1.13)
Coming soon. . .Security
Security Advisories
MITKRB5-SA-2014-001:
I CVE-2014-4345: Buffer overrun in kadmind with LDAPbackend
I cpw -keepold triggered miscounting of array size
MITKRB5-SA-2015-001
I CVE-2014-5352: gss process context token() incorrectly freescontext
I CVE-2014-9421: kadmind doubly frees partial deserializationresults
I CVE-2014-9422: kadmind incorrectly validates server principalname
I CVE-2014-9423: libgssrpc server applications leakuninitialized bytes
Benjamin Kaduk [email protected] [email protected] Updates from MIT Kerberos
While we were gone. . .Current release (1.13)
Coming soon. . .Security
Security Advisories
MITKRB5-SA-2014-001:
I CVE-2014-4345: Buffer overrun in kadmind with LDAPbackend
I cpw -keepold triggered miscounting of array size
MITKRB5-SA-2015-001
I CVE-2014-5352: gss process context token() incorrectly freescontext
I CVE-2014-9421: kadmind doubly frees partial deserializationresults
I CVE-2014-9422: kadmind incorrectly validates server principalname
I CVE-2014-9423: libgssrpc server applications leakuninitialized bytes
Benjamin Kaduk [email protected] [email protected] Updates from MIT Kerberos
While we were gone. . .Current release (1.13)
Coming soon. . .Security
Security Advisories
MITKRB5-SA-2014-001:
I CVE-2014-4345: Buffer overrun in kadmind with LDAPbackend
I cpw -keepold triggered miscounting of array size
MITKRB5-SA-2015-001
I CVE-2014-5352: gss process context token() incorrectly freescontext
I CVE-2014-9421: kadmind doubly frees partial deserializationresults
I CVE-2014-9422: kadmind incorrectly validates server principalname
I CVE-2014-9423: libgssrpc server applications leakuninitialized bytes
Benjamin Kaduk [email protected] [email protected] Updates from MIT Kerberos
While we were gone. . .Current release (1.13)
Coming soon. . .Security
Security Advisories
MITKRB5-SA-2014-001:
I CVE-2014-4345: Buffer overrun in kadmind with LDAPbackend
I cpw -keepold triggered miscounting of array size
MITKRB5-SA-2015-001
I CVE-2014-5352: gss process context token() incorrectly freescontext
I CVE-2014-9421: kadmind doubly frees partial deserializationresults
I CVE-2014-9422: kadmind incorrectly validates server principalname
I CVE-2014-9423: libgssrpc server applications leakuninitialized bytes
Benjamin Kaduk [email protected] [email protected] Updates from MIT Kerberos
While we were gone. . .Current release (1.13)
Coming soon. . .
krb5-1.14KfWOn the horizonA bit further off
While we were gone. . .
Current release (1.13)Security
Coming soon. . .krb5-1.14KfWOn the horizonA bit further off
Benjamin Kaduk [email protected] [email protected] Updates from MIT Kerberos
While we were gone. . .Current release (1.13)
Coming soon. . .
krb5-1.14KfWOn the horizonA bit further off
Upcoming items from MIT Kerberos
I krb5-1.14 in October
I KfW 4.1 expected . . . sometime this year
Benjamin Kaduk [email protected] [email protected] Updates from MIT Kerberos
While we were gone. . .Current release (1.13)
Coming soon. . .
krb5-1.14KfWOn the horizonA bit further off
krb5-1.14 features
I CAMMAC
I Authentication Indicator
I Hopefully, a reporting-friendly dump format
I gss acquire cred with password behavior change
I make FILE: cache somewhat more efficient
I Don’t generate new des3 and arcfour keys by default
I Option for site-specific error message wrapping, and includethe FILE: ccache name in errors
I Use Linux OFD locks when available
Benjamin Kaduk [email protected] [email protected] Updates from MIT Kerberos
While we were gone. . .Current release (1.13)
Coming soon. . .
krb5-1.14KfWOn the horizonA bit further off
krb5-1.14 features (continued)
I (developers only) note skipped tests in make check output
I Incremental improvements to multi-hop preauthentication
I document FILE: ccache and keytab file formats
I Support 32-bit kvno keytab extensions
I Log a notice when kadm5.acl fails to parse
I Disallow principal renames with LDAP backend
I Improvements to incremental database propogation
I Limit use of “old” and “wrong” krb5 mechanism OIDs
I Limit use of IAKERB
Benjamin Kaduk [email protected] [email protected] Updates from MIT Kerberos
While we were gone. . .Current release (1.13)
Coming soon. . .
krb5-1.14KfWOn the horizonA bit further off
CAMMAC
I Signed authorization data, originating from KDC
I Can be safely passed back to KDC for processing, unlikeAD-KDC-ISSUED
I Generic container, can be used for authentication indicator,PAD, storing other data only available at initialauthenticaiton, . . .
Benjamin Kaduk [email protected] [email protected] Updates from MIT Kerberos
While we were gone. . .Current release (1.13)
Coming soon. . .
krb5-1.14KfWOn the horizonA bit further off
Authentication Indicator
I Client principals could have multiple usable preauthmechanisms
I Services want to know how (strong) the initial authenticationwas
I Encrypted timestamp is fine for mail, but need OTP forpayroll access, or PKINIT for making changes in puppet
I Carried in a CAMMAC to prevent tampering
I A string identifier (readable, but “opaque” to machines) forthe initial authentication
I Different OTP schemes can get different strings (e.g.,hardware token vs. app on phone
Benjamin Kaduk [email protected] [email protected] Updates from MIT Kerberos
While we were gone. . .Current release (1.13)
Coming soon. . .
krb5-1.14KfWOn the horizonA bit further off
Authentication Indicator
I Client principals could have multiple usable preauthmechanisms
I Services want to know how (strong) the initial authenticationwas
I Encrypted timestamp is fine for mail, but need OTP forpayroll access, or PKINIT for making changes in puppet
I Carried in a CAMMAC to prevent tampering
I A string identifier (readable, but “opaque” to machines) forthe initial authentication
I Different OTP schemes can get different strings (e.g.,hardware token vs. app on phone
Benjamin Kaduk [email protected] [email protected] Updates from MIT Kerberos
While we were gone. . .Current release (1.13)
Coming soon. . .
krb5-1.14KfWOn the horizonA bit further off
Authentication Indicator
I Client principals could have multiple usable preauthmechanisms
I Services want to know how (strong) the initial authenticationwas
I Encrypted timestamp is fine for mail, but need OTP forpayroll access, or PKINIT for making changes in puppet
I Carried in a CAMMAC to prevent tampering
I A string identifier (readable, but “opaque” to machines) forthe initial authentication
I Different OTP schemes can get different strings (e.g.,hardware token vs. app on phone
Benjamin Kaduk [email protected] [email protected] Updates from MIT Kerberos
While we were gone. . .Current release (1.13)
Coming soon. . .
krb5-1.14KfWOn the horizonA bit further off
Authentication Indicator
I Client principals could have multiple usable preauthmechanisms
I Services want to know how (strong) the initial authenticationwas
I Encrypted timestamp is fine for mail, but need OTP forpayroll access, or PKINIT for making changes in puppet
I Carried in a CAMMAC to prevent tampering
I A string identifier (readable, but “opaque” to machines) forthe initial authentication
I Different OTP schemes can get different strings (e.g.,hardware token vs. app on phone
Benjamin Kaduk [email protected] [email protected] Updates from MIT Kerberos
While we were gone. . .Current release (1.13)
Coming soon. . .
krb5-1.14KfWOn the horizonA bit further off
Authentication Indicator
I Client principals could have multiple usable preauthmechanisms
I Services want to know how (strong) the initial authenticationwas
I Encrypted timestamp is fine for mail, but need OTP forpayroll access, or PKINIT for making changes in puppet
I Carried in a CAMMAC to prevent tampering
I A string identifier (readable, but “opaque” to machines) forthe initial authentication
I Different OTP schemes can get different strings (e.g.,hardware token vs. app on phone
Benjamin Kaduk [email protected] [email protected] Updates from MIT Kerberos
While we were gone. . .Current release (1.13)
Coming soon. . .
krb5-1.14KfWOn the horizonA bit further off
Authentication Indicator
I Client principals could have multiple usable preauthmechanisms
I Services want to know how (strong) the initial authenticationwas
I Encrypted timestamp is fine for mail, but need OTP forpayroll access, or PKINIT for making changes in puppet
I Carried in a CAMMAC to prevent tampering
I A string identifier (readable, but “opaque” to machines) forthe initial authentication
I Different OTP schemes can get different strings (e.g.,hardware token vs. app on phone
Benjamin Kaduk [email protected] [email protected] Updates from MIT Kerberos
While we were gone. . .Current release (1.13)
Coming soon. . .
krb5-1.14KfWOn the horizonA bit further off
KfW 4.1 outline
I KfW 4.0 (based off krb5-1.10) was released in 2012
I Time past time for an update
I Based off krb5-1.13
I Waiting for feedback from testers to release
I Please test KfW 4.1 beta 2!
Benjamin Kaduk [email protected] [email protected] Updates from MIT Kerberos
While we were gone. . .Current release (1.13)
Coming soon. . .
krb5-1.14KfWOn the horizonA bit further off
KfW 4.1 features
I Improved support for MSLSA: ccache type
I New library for ribbon interface, more accessible for screenreaders
I Registry key for default realm
I Modernization in installer sources
I All the features from krb5 1.11 through krb5 1.13
Benjamin Kaduk [email protected] [email protected] Updates from MIT Kerberos
While we were gone. . .Current release (1.13)
Coming soon. . .
krb5-1.14KfWOn the horizonA bit further off
Candidates for krb5-1.15
I SPAKE preauthI prevents offline dictionary attackI forward secrecy in generated session keys (with respect to the
password-derived key)I option for two-factor as part of same exchangeI For simple second factors, attacker can’t tell which factor was
wrong
I More progress on Python kerberos for testing?
I More progress on moving DNS resolution off clients to theKDC
Benjamin Kaduk [email protected] [email protected] Updates from MIT Kerberos
While we were gone. . .Current release (1.13)
Coming soon. . .
krb5-1.14KfWOn the horizonA bit further off
Candidates for krb5-1.15
I SPAKE preauthI prevents offline dictionary attackI forward secrecy in generated session keys (with respect to the
password-derived key)I option for two-factor as part of same exchangeI For simple second factors, attacker can’t tell which factor was
wrong
I More progress on Python kerberos for testing?
I More progress on moving DNS resolution off clients to theKDC
Benjamin Kaduk [email protected] [email protected] Updates from MIT Kerberos
While we were gone. . .Current release (1.13)
Coming soon. . .
krb5-1.14KfWOn the horizonA bit further off
Ongoing in the IETF
I PAD, akin to the MSFT PAC
I New (faster?) enctypes
I Java GSS bindings updates (streams? no streams?)
I Deprecate des3 and arcfour
I PKINIT algorithm agility
I Extra round trips for AP exchange
I Convince us to take on your idea!
Benjamin Kaduk [email protected] [email protected] Updates from MIT Kerberos
While we were gone. . .Current release (1.13)
Coming soon. . .
krb5-1.14KfWOn the horizonA bit further off
Long-term goals
I Stop relying on the DNS!
I Let the KDC do the resolution, possibly via a local (trusted)copy of the zone file
I Pluggable interface for kadmin ACLs
I API or KCM-like credentials cache
I much more
Benjamin Kaduk [email protected] [email protected] Updates from MIT Kerberos
While we were gone. . .Current release (1.13)
Coming soon. . .
krb5-1.14KfWOn the horizonA bit further off
Thanks!
Benjamin Kaduk [email protected] [email protected] Updates from MIT Kerberos