• Kerberos Digest, Vol 224, Issue 3

    From Yegor Matsekha@21:1/5 to All on Sat Sep 11 19:58:57 2021
    Thank you for the information however this technical language is beyond my computer skill. If you don’t mind then may I observer your meeting in these emails ?

    Sent from my iPhone

    On Sep 11, 2021, at 6:43 PM, kerberos-request@mit.edu wrote:

    Send Kerberos mailing list submissions to
    kerberos@mit.edu

    To subscribe or unsubscribe via the World Wide Web, visit
    https://mailman.mit.edu/mailman/listinfo/kerberos
    or, via email, send a message with subject or body 'help' to
    kerberos-request@mit.edu

    You can reach the person managing the list at
    kerberos-owner@mit.edu

    When replying, please edit your Subject line so it is more specific
    than "Re: Contents of Kerberos digest..."


    Today's Topics:

    1. Re: heimdal http proxy (Charles Hedrick)
    2. Re: heimdal http proxy (Charles Hedrick)


    ----------------------------------------------------------------------

    Message: 1
    Date: Sat, 11 Sep 2021 22:16:36 +0000
    From: Charles Hedrick <hedrick@rutgers.edu>
    Subject: Re: heimdal http proxy
    To: Rick van Rein <rick@openfortress.nl>
    Cc: "kerberos@mit.edu" <kerberos@mit.edu>
    Message-ID: <EB1DCE86-9FAE-4897-89C5-0383095BF4A4@rutgers.edu>
    Content-Type: text/plain; charset="utf-8"

    My use case is a few web applications. Linux user group management, editing our wiki, and responding to help desk tickets. Generic web apps that I would like to use at home. We support CAS, but our university CAS server has disabled SSO. Since I
    already have a Kerberos ticket to use ssh, it would be nice to be able to get into the web apps without having to do CAS and Duo each time. (My Kerberos tickets also require two factor authentication to get them.)

    We use Kerberos and GSSAPI for other things, but not that I?d need at home.

    On Sep 11, 2021, at 2:22 PM, Rick van Rein <rick@openfortress.nl> wrote:

    ?Hello Charles,

    I???d like to be able to use Kerberos SPNEGO at home. Unfortunately the Mac uses Heimdal.

    SPNEGO has really a low security level. I am surprised this is considered >> acceptable for a https proxy.

    We are working on two better solutions, with software that classifies only >> little over "proof of concept'.

    - TLS-KDH to integrate Kerberos authentication with ECDH encryption;
    this combination is in fact Quantum Proof

    https://datatracker.ietf.org/doc/html/draft-vanrein-tls-kdh

    - HTTP-SASL integrates SASL as a HTTP authentication mechanism, and this
    is meant to allow Kerberos as well. In contrast with SPNEGO, it would
    be possible to require Channel Binding (at least to the webserver _name_). >>
    https://datatracker.ietf.org/doc/html/draft-vanrein-httpauth-sasl


    Take note: These have not even been proposed on this list, simply due to
    lack of time to actively discuss it (been mostly occupied with this and
    related implementations). So at best this could be a future opportunity.
    Still, your usecase may help to propell the work forward, so please share
    if this would be helpful for your situation. You may want to pass this
    by your sysadmin too.


    Cheers,
    -Rick



    ------------------------------

    Message: 2
    Date: Sat, 11 Sep 2021 22:33:53 +0000
    From: Charles Hedrick <hedrick@rutgers.edu>
    Subject: Re: heimdal http proxy
    To: Rick van Rein <rick@openfortress.nl>
    Cc: "kerberos@mit.edu" <kerberos@mit.edu>
    Message-ID: <04863A7D-342E-42B0-B71A-D5816D9C22E8@rutgers.edu>
    Content-Type: text/plain; charset="utf-8"

    Another use case is getting tickets for Mac users. We have a few users that ssh into enough different hosts that they want to use kerberized ssh. Unless we open port 88 to the outside, they have to install Mac ports and use the MIT kinit. While it
    seems simple to me, it?s not for real users. If they could point Heimdal to a proxy I think it would be easier to support. It won?t work for two factor, since Apples Heimdal kinit doesn?t support that, but most of users don?t use two factors, just
    privileged users.

    The easier solution would be for Apple to move to MIT, but I have no way to make that happen.

    On Sep 11, 2021, at 2:22 PM, Rick van Rein <rick@openfortress.nl> wrote:

    ?Hello Charles,

    I???d like to be able to use Kerberos SPNEGO at home. Unfortunately the Mac uses Heimdal.

    SPNEGO has really a low security level. I am surprised this is considered >> acceptable for a https proxy.

    We are working on two better solutions, with software that classifies only >> little over "proof of concept'.

    - TLS-KDH to integrate Kerberos authentication with ECDH encryption;
    this combination is in fact Quantum Proof

    https://datatracker.ietf.org/doc/html/draft-vanrein-tls-kdh

    - HTTP-SASL integrates SASL as a HTTP authentication mechanism, and this
    is meant to allow Kerberos as well. In contrast with SPNEGO, it would
    be possible to require Channel Binding (at least to the webserver _name_). >>
    https://datatracker.ietf.org/doc/html/draft-vanrein-httpauth-sasl


    Take note: These have not even been proposed on this list, simply due to
    lack of time to actively discuss it (been mostly occupied with this and
    related implementations). So at best this could be a future opportunity.
    Still, your usecase may help to propell the work forward, so please share
    if this would be helpful for your situation. You may want to pass this
    by your sysadmin too.


    Cheers,
    -Rick



    ------------------------------

    _______________________________________________
    Kerberos mailing list
    Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


    End of Kerberos Digest, Vol 224, Issue 3 ****************************************

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)