"Fossies" - the Fresh Open Source Software Archive

Member "freeipa-4.8.8/daemons/ipa-kdb/README.s4u2proxy.txt" (15 Jun 2020, 5766 Bytes) of package /linux/misc/freeipa-4.8.8.tar.gz:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file.

    1 It is now possible to allow constrained delegation of credentials so
    2 that a service can impersonate a user when communicating with another
    3 service w/o requiring the user to actually forward their TGT.
    4 This makes for a much better method of delegating credentials as it
    5 prevents exposure of the short term secret of the user.
    6 
    7 I added a relatively simple access control method that allow the KDC to
    8 decide exactly which services are allowed to impersonate which users
    9 against other services. A simple grouping mechanism is used so that in
   10 large environments, clusters and otherwise classes of services can be
   11 much more easily managed.
   12 
   13 The grouping mechanism has been built so that lookup is highly optimized
   14 and is basically reduced to a single search that uses the derefernce
   15 control. Speed is very important in this case because KDC operations
   16 time out very quickly and unless we add a caching layer in ipa-kdb we
   17 must keep the number of searches down to avoid client timeouts.
   18 
   19 The grouping mechanism is very simple a groupOfPrincipals object is
   20 introduced, this Auxiliary class have a single optional attribute called
   21 memberPrincipal which is a string containing a principal name.
   22 
   23 A separate objectclass is also introduced called ipaKrb5DelegationACL,
   24 it is a subclass of groupOfPrincipals and is a Structural class.
   25 
   26 It has 2 additional optional attributes: ipaAllowedTarget and
   27 ipaAllowToImpersonate. They are both DNs.
   28 
   29 The memberPrincipal attribute in this class contains the list of
   30 principals that are being considered proxies[1]. That is: the
   31 principals of the services that want to impersonate client principals
   32 against other services.
   33 
   34 The ipaAllowToImpersonate must point to a groupOfPrincipal based
   35 object that contains the list of client principals (normally these are
   36 user principals) that can be impersonated by this service.
   37 If the attribute is missing than the service is allowed to impersonate
   38 *any* user.
   39 
   40 The ipaAllowedTarget DN must point to a groupOfPrincipal based object
   41 that contains the list of service principals that the proxy service is
   42 allowed target when impersonating users. A target must be specified in
   43 order to allow a service to access it impersonating another principal.
   44 
   45 
   46 At the moment no wildcarding is implemented so services have to be
   47 explicitly listed in their respective groups.
   48 I have some idea of adding wildcard support at least for the
   49 ipaAllowToImpersonate group in order to separate user principals by
   50 REALM. So you can say all users of REALM1 can be impersonated by this
   51 service but no users of REALM2.
   52 
   53 It is unclear how this wildcarding may be implemented, but it must be
   54 simple to avoid potentially very expensive computations every time a
   55 ticket for the target services is requested.
   56 
   57 I have briefly tested this patch by manually creating a few objects then
   58 using the kvno command to test that I could get a ldap ticket just using
   59 the HTTP credentials (in order to do this I had to allow also s4u2self
   60 operations for the HTTP service, but this is *not* generally required
   61 and it is *not* desired in the IPA framework implementation).
   62 
   63 This patchset does not contain any CLI or UI nor installation changes to
   64 create ipaKrb5DelegationACL obujects. It is indeed yet unclear where we
   65 want to store them (suggestions are welcome) and how/when we may want to
   66 expose this mechanism through UI/CLI for general usage.
   67 
   68 The initial intended usage is to allow us to move away from using
   69 forwarded TGTs in the IPA framework and instead use S4U2Proxy in order
   70 to access the ldap service. In order to do this some changes will need
   71 to be made in installation scripts and replica management scripts later.
   72 
   73 How to test:
   74 
   75 Create 2 objects like these:
   76 
   77 dn: cn=ipa-http-delegation,...
   78 objectClass: ipaKrb5DelegationACL
   79 objectClass: groupOfPrincipals
   80 cn: ipa-http-delegation
   81 memberPrincipal: HTTP/ipaserver.example.com@EXAMPLE.COM
   82 ipaAllowedTarget: cn=ipa-ldap-delegation-targets,...
   83 
   84 dn: cn=ipa-ldap-delegation-targets,...
   85 objectClass: groupOfPrincipals
   86 cn: ipa-ldap-delegation-targets
   87 memberPrincipal: ldap/ipaserver.example.com@EXAMPLE.COM
   88 
   89 
   90 In order to test with kvno which pretend to do s4u2self too you will
   91 need to allow the HTTP service to impersonate arbitrary users.
   92 
   93 This is done with:
   94 kdamin.local
   95 modprinc +ok_to_auth_as_delegate HTTP/ipaserver.example.com
   96 
   97 NOTE: Do not grant +ok_to_auth_as_delegate in production without
   98 carefully considering the outcome. This flags grants a service the
   99 ability to impersonate any user to itself, which, combined with the
  100 permission to proxy, means it will be allowed to impersonate any user
  101 to the target service w/o any explicit user permission/delegation.
  102 This flag is *NOT* necessary to permit proxying, it is used in this
  103 example only because the kvno utility is hardwired to test both s4u2self
  104 and s4u2proxy at the same time and would fail to operate without it.
  105 
  106 Then run kvno as follows:
  107 
  108 # Init credntials as HTTP
  109 kinit -kt /etc/httpd/conf/ipa.keytab HTTP/ipaserver.example.com
  110 
  111 # Perform S4U2Self
  112 kvno -U admin HTTP/ipaserver.example.com
  113 
  114 # Perform S4U2Proxy
  115 kvno -k /etc/httpd/conf/ipa.keytab -U admin -P HTTP/ipaserver.example.com
  116 ldap/ipaserver.example.com
  117 
  118 
  119 If this works it means you successfully impersonated the admin user with
  120 the HTTP service against the ldap service.
  121 
  122 Cleanup by removing the self-impersonation flag:
  123 modprinc -ok_to_auth_as_delegate HTTP/ipaserver.example.com
  124 
  125 Simo.
  126 
  127 
  128 [1]
  129 Note that here I use the term proxy in a different way than it is used in
  130 the krb interfaces. It may seem a bit confusing but I think people will
  131 understand it better this way.
  132 
  133 In this document 'client' connects to 'proxy' which impersonates 'client'
  134 against 'service'.
  135 In the Code/API the 'client' connects to 'server' which impersonates
  136 'client' against 'proxy'.