Kerberos - overview
Authentication protocol based on symmetric cryptography
Single sign-on: authenticate once, access many services
Started at MIT (1988), v5 (1993), RFC 41201 (2005)
Major implementations: MIT Kerberos2, Microsoft Active Directory,
Heimdal3, FreeIPA4 / Identity Management in RHEL
1https://www.rfc-editor.org/rfc/rfc4120
2https://web.mit.edu/kerberos/
3https://github.com/heimdal/heimdal
4https://www.freeipa.org
Slide 4
Slide 4 text
Kerberos - protocol
Parties: client, Key Distribution Centre (KDC), service
KDC = Authentication Service (AS) + Ticket Granting Service (TGS)
Users, services, KDC are represented as principals in a realm
Each principle has a long-term secret key, shared with the KDC
users derive it from a password
hosts/services store it in a file ("keytab")
Authentication tokens are called tickets
Kerberos - advantages
Single sign-on: improve efficiency, reduce password fatigue
Client exposes long-term secret only once (until TGT expires)
Resistant to replay attacks
Works well for HTTP and "bare" network protocols
Slide 16
Slide 16 text
Kerberos - problems
Passwords are not great
Password / keytab rotation is burdensome
Slide 17
Slide 17 text
PKINIT - overview
Public Key Cryptography for Initial Authentication in Kerberos11
Client uses asymmetric cryptography to authenticate to KDC
Client presents X.50912 certificate and signs message
KDC verifies certificate, signature and client binding
KDC encrypts response using either:
Diffie-Hellman (DH) or analogous key agreement algorithm
other public-key encryption algorithm
11RFC 4556 - https://www.rfc-editor.org/rfc/rfc4556
12RFC 5280 - https://www.rfc-editor.org/rfc/rfc5280
Slide 18
Slide 18 text
PKINIT - protocol
Slide 19
Slide 19 text
PKINIT - protocol
Slide 20
Slide 20 text
PKINIT - protocol
Slide 21
Slide 21 text
PKINIT in FreeIPA
Default: exact certificate match only
Optional: certificate mapping rules
ipa certmaprule-add certmap \
--maprule "(fqdn={subject_dns_name})"
Client certs can be signed by internal or third-party CA
Slide 22
Slide 22 text
PKINIT - user experience
CLI: kinit -X X509_user_identity=FILE:cert.pem,key.pem
SSSD can integrate with Linux login managers
Nice UX for smartcards and 2FA
Windows offers a similiar experience
Slide 23
Slide 23 text
Demo
Slide 24
Slide 24 text
PKINIT - advantages
No more passwords / client shared secret
Key can reside on smart-card (e.g. Yubikey) / TPM / HSM
The rest of the protocol is unchanged
Slide 25
Slide 25 text
PKINIT - complexities
X.509 PKI required
Renewal considerations
Revocation checking is hard (or time consuming)
Hardware (e.g. smart cards) → additional cost
Binding the public key to the principal - how?
Slide 26
Slide 26 text
PKINIT - key binding
In addition to validating the client’s signature, the KDC MUST also
check that the client’s public key used to verify the client’s
signature is bound to the client principal name specified in the AS-
REQ as follows:
1. If the KDC has its own binding between either the client’s
signature-verification public key or the client’s certificate and
the client’s Kerberos principal name, it uses that binding.
2. Otherwise, if the client’s X.509 certificate contains a Subject
Alternative Name (SAN) extension carrying a KRB5PrincipalName
(defined below) in the otherName field of the type GeneralName
[RFC3280], it binds the client’s X.509 certificate to that name.
Slide 27
Slide 27 text
PKINIT - key binding
Encode principal name in certificate (KRB5PrincipalName SAN)
Associate certificate/key with principal in database
administrative overhead due to renewal/rekey
Other heuristics; for example:
if certificate has dNSName SAN, look for that host principal
if certificate has rfc822Name (email address) SAN, look for the corresonding
user principal
Better not mess this up!
Slide 28
Slide 28 text
CVE-2022-4254
Slide 29
Slide 29 text
CVE-2022-4254 - what happened?
LDAP filter injection13
FreeIPA not vulnerable in default configuration
only exact certificate match is enabled by default
Bug introduced in SSSD v1.15.3 and resolved in v2.3.1
Will also be fixed in of v1.16.6, if/when released
13CWE-90 - https://cwe.mitre.org/data/definitions/90.html
CVE-2022-4254 - mitigations
Upgrade to fixed/patched releases of SSSD
and-list rules are harder to exploit than or-list
Audit what data get included in certs, and how
Use exact certificate matching
Slide 35
Slide 35 text
PKINIT - security considerations
Properly escape/sanitise all inputs, always.
Review CA trust, profiles, and validation behaviour
Which CAs do you trust? Who can issue certificates?
How do you validate the data that go into a certificate?
Can attributes be influenced by users or other parties?
Just because a value is valid does not mean it’s benign
Key/principal binding is a critical aspect of PKINIT security
Slide 36
Slide 36 text
Links
Writeup: https://is.gd/CVE_2022_4254
Red Hat CVE database:
https://access.redhat.com/security/cve/CVE-2022-4254