#9683 Support authentication indicators in IPA to IPA trust
Opened 4 months ago by abbra. Modified 4 months ago

MIT Kerberos strips out authentication indicators at the realm boundary. In IPA-to-IPA trust case it makes impossible to recognize that a user from a trusted domain was authenticated using a particular pre-authentication mechanism, thus making impossible to grant access to protected Kerberos services.

issue_pac KDB API allows to modify list of authentication indicators that a KDC will issue. issue_pac is called for both AS-REQ and TGS-REQ processing. When KRB5_KDB_FLAG_CROSS_REALM flag is passed to issue_pac, the PAC fields will be coming from the trusted KDC and we can analyze them and grant indicators in our realm. PAC record is encrypted and signed by the KDC of the trusted realm as well; our KDC validates the PAC integrity prior to calling issue_pac.

PAC record contains group membership information and SIDs are namespaced, allowing for passing through contextual details. Microsoft Active Directory already uses well-known SIDs to express some of those details, in MS-DTYP specification: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/81d92bba-d22b-4a8c-908a-554ab29148ab

For example, following well-known SIDs used by Active Directory to express some of the meanings close to logic we handle with authentication indicators:

SID name SID value description
AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY S-1-18-1 A SID that means the client's identity is asserted by an authentication authority based on proof of possession of client credentials. (Initial ticket)
SERVICE_ASSERTED_IDENTITY S-1-18-2 A SID that means the client's identity is asserted by a service. (S4U2Self)
FRESH_PUBLIC_KEY_IDENTITY S-1-18-3 A SID that means the client's identity is asserted by an authentication authority based on proof of current possession of client public key credentials.
KEY_TRUST_IDENTITY S-1-18-4 A SID that means the client's identity is based on proof of possession of public key credentials using the key trust object. (PKINIT-like auth)
KEY_PROPERTY_MFA S-1-18-5 A SID that means the key trust object had the multifactor authentication (MFA) property.
KEY_PROPERTY_ATTESTATION S-1-18-6 A SID that means the key trust object had the attestation property.

Tasks:

  • Define SIDs for expressing FreeIPA authentication indicators as well-known SIDs in some SID namespace
  • Add logic to IPA KDB driver to interpret a number of well-known SIDs to alter list of authentication indicators we'd issue for cross-realm tickets.

Log in to comment on this ticket.

Metadata