[Freeipa-devel] Design Review Keytab Retrieval

Nathaniel McCallum npmccallum at redhat.com
Fri Jun 20 18:30:46 UTC 2014 

On Fri, 2014-06-20 at 14:10 -0400, Simo Sorce wrote:
> On Fri, 2014-06-20 at 14:05 -0400, Nathaniel McCallum wrote:
> > On Mon, 2014-06-16 at 11:34 -0400, Simo Sorce wrote:
> > > Although the code is all done it would be nice to have a review of the
> > > feature, to see if it has all been captured:
> > > http://www.freeipa.org/page/V4/Keytab_Retrieval
> > 
> > I'm a bit confused about the behavior of enctypes in the Request.
> > 
> > "A list of enctypes is always necessary in input when a new keytab is
> > requested. However the list is filtered though the allowable enctypes
> > list and if nothing is left the operation is refused."
> > 
> > +1. However, the generated keys should be the set of allowed enctypes,
> > not the intersection between allowed and requested enctypes. This would
> > permit the later requesting of enctypes that were allowed at the time of
> > creation, but not requested.
> 
> Which you absolutely do not want.
> If your service understands only RC4-HMAC and you provide it with AES
> keys then communication from a third party client will fail because the
> KDC will give that client an AES encrypted ticket that the service does
> not know how to decrypt.
> 
> This is particularly important for old NFS Servers (like RHEL5) that
> understand only DES (sigh!)
> 
> > "If the getNew attribute is false, then the existing key is being
> > requested. In this case password and enctypes MUST NOT be set."
> > 
> > I don't get this. Shouldn't the return value of this request include
> > only the intersection between allowed and requested enctypes?
> 
> Not when you are retrieving existing keys. Only when you are creating
> new keys.
> 
> > There is no point in responding with enctypes the client has not requested.
> > And indeed, this provides extra data points to attack.
> 
> ??
> 
> > Having this proposed behavior also means you can remove OPTIONAL from
> > enctypes.
> 
> OPTIONAL is there because when you request existing keys it makes no
> sense to send a lit of enctypes, you get what the KDC has, the whole
> package, because you must be able to decrypt any ticket you get, getting
> a subset of keys would make no sense.
> 
> > So as it stands, enctypes currently controls what keys are generated. I
> > would prefer that enctypes controls what keys are returned. Am I missing
> > something?
> 
> I most definitely think you are :-)

Ah, right. This boils down to the KDC not having any way to know what
enctypes the destination principal supports. Thanks for clarifying that.

In this case, the ASN.1 provided is confusing. I think something like
this would be clearer and less error prone:

KeytabGetMessage ::= CHOICE {
    fetch        [0] Fetch,
    create       [1] Create
    reply        [2] Reply
}

Fetch ::= SEQUENCE {
    serviceIdentity [0] OCTET STRING
}

Create ::= SEQUENCE {
    serviceIdentity [0] OCTET STRING,
    enctypes        [1] SEQUENCE OF Int16,
    password        [2] OCTET STRING OPTIONAL
}

This would also, I think, result in a cleaner implementation where the
type of operation is logically built into the decoding step.

Nathaniel

More information about the Freeipa-devel mailing list