#237 Kerberos client functionality should be able to use FAST if available
Closed: Fixed None Opened 12 years ago by nalin.

http://tools.ietf.org/wg/krb-wg/draft-ietf-krb-wg-preauth-framework/ describes a method of using a TGT to protect the privacy of the portions of a KDC request which are traditionally sent in plaintext (flexible authentication secure tunneling, or FAST). Because it encrypts the entire client request, this also establishes a way to tunnel data which can't safely be sent in plaintext, but which otherwise would be sufficient for authenticating the user (data provided by OTP tokens is a frequently-mentioned example).

krb5 1.7 added the krb5_get_init_creds_opt_set_fast_ccache_name() function to pass the library the name of a ccache which contains a TGT (typically one that's been obtained using keys from a local keytab file, or anonymously) to use for this purpose. When it's used, however, the client starts to require that the KDC also supports FAST.

While, for that reason, I doubt we'd want to turn it on by default universally, it'd be handy if we could provide admins with a way to ask sssd to use FAST.

Fields changed

owner: somebody => sbose

Fields changed

milestone: SSSD Deferred => SSSD 1.1

Fields changed

milestone: SSSD 1.1 => SSSD Deferred

According to Simo: Sam Hartman claims 1.8 library automatically fallback if FAST is not supported by the KDC. Then it seems a good candidate for 1.4

milestone: SSSD Deferred => NEEDS_TRIAGE

As you mention, with 1.8 things are indeed different -- FAST is not required just because you've set a ccache location. That behavior can be toggled on with krb5_get_init_creds_opt_set_fast_flags(KRB5_FAST_REQUIRED).

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.4.0

Fields changed

milestone: SSSD 1.5.0 => NEEDS_TRIAGE

Fields changed

component: SSSD => Kerberos Provider

Fedora 14 has MIT Kerberos 1.8 and as mentioned earlier FAST can be made optional with this release. I suggest the we should add FAST support for sssd 1.5 based on a configure check if krb5_get_init_creds_opt_set_fast_flags() and maybe KRB5_FAST_REQUIRED are available.

We need to decide how we want to handle the two options to option the TGT needed for FAST. Not all KDC may support anonymous access and not all clients may have keytab which can be used. I suggest to add another option here and if it is not set we try first anonymously and then with the keytab, if available. Depending on an option which indicates if we require FAST or if it is optional we fail or continue without fast if the TGT cannot be obtained.

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.5.0

Fields changed

status: new => assigned

Fixed by:
- 263c8d4
- 5843ad3

resolution: => fixed
status: assigned => closed
tests: 0 => 1

Fields changed

rhbz: => 0

Metadata Update from @nalin:
- Issue assigned to sbose
- Issue set to the milestone: SSSD 1.5.0

5 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/1279

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.