Re: spn alias

Path	csiph.com!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From	Jeffrey Hutzelman <jhutz@cmu.edu>
Newsgroups	comp.protocols.kerberos
Subject	Re: spn alias
Date	Thu, 6 Mar 2025 19:28:51 -0500
Organization	TNet Consulting
Lines	47
Message-ID	<mailman.167.1741307351.2322.kerberos@mit.edu> (permalink)
References	<42e99884-8cae-4664-9f29-79cd49c5c5e7@kania-online.de> <CAGMFw4hjK8CHYJWOiQb9+AvHQXZHkA6C_21eRNOwx5y6XTefVg@mail.gmail.com> <CALF+FNwB=07CbW5Do4E+C-C6D8T3bXhUX4PMHbkdnwGT9ewXfw@mail.gmail.com> <CAGMFw4gUmoyOXkRNR34ks7D5iwWi+nWKm9A3y5XQ55X3G+1B3Q@mail.gmail.com> <CALF+FNxnh=iuZZoXWdFnsLEtLv5oCeEQfUVs0TnHb1mWq=znwA@mail.gmail.com>
MIME-Version	1.0
Content-Type	text/plain; charset="UTF-8"
Content-Transfer-Encoding	quoted-printable
Injection-Info	tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50"; logging-data="5365"; mail-complaints-to="newsmaster@tnetconsulting.net"
Cc	Stefan Kania <stefan@kania-online.de>, Jonathan Calmels via Kerberos <kerberos@mit.edu>
To	Michael B Allen <ioplex@gmail.com>
DKIM-Filter	OpenDKIM Filter v2.11.0 unknown-host (unknown-jobid)
Authentication-Results	mailman.mit.edu; dkim=pass (1024-bit key, unprotected) header.d=mitprod.onmicrosoft.com header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256 header.s=selector2-mitprod-onmicrosoft-com header.b=Z3pdChvR; dkim=pass (2048-bit key, unprotected) header.d=cmu.edu header.i=@cmu.edu header.a=rsa-sha256 header.s=google-2021 header.b=DpJrWIx4
ARC-Seal	i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=tK9YJeoXzkE7vxTXU0BL1XwuBLfqXlP6hxzfwtxo21xP5h+KuyZeuJxUlZluVK+Dfpa1lULvlWCFyxmWWLO+r1qRBxp/DbpG4mVAPT+8s4C7a4pEyouuqXc4EHysaOoGGAQ4TR9/rtCyIAmEZZ3cDW7EtmSLpj9Zc8PqLg+5iPREpfYXuyTnz8gHpF2DzN+KRs1iwJ1nfgKbA/YGQVB4hl0tR/0SGXssq0pesT2ssMcKm48QZgGxdGVTauK4tj/UpbrFrBfpSwzxf1HEzoeRF4udRl/n7eQxoj1mop4V4PCpTuutoaPw7MNDky9EE/5UIubyFd/2Ht9npj+vtIePkQ==
ARC-Message-Signature	i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=1NzoF6taRv0gSrHkXX8MALmIrUFhOwYeE6O5NOEa7Ok=; b=M8buR5uqbMv44w4e1OnkrSpx5jDWQHDWsx/Ij3D5+jlWOU/z0wLAYnKEPQRTxBRk5HFAoc3Qa6ja+rLQZorbW/6fJHMnd8ItzWvXZg1OigDcf9LuMsitxaFHac0I9XGe7+bD7TpXmEGgLvxA5GwvbntryOFcEyMVOnI6aF1jJBtRO05tGDCioqjGRRPUJXk0PK67rTkwyCv5NdHjuIZ4hhgTQ04BiOIuhR1kgaaeyyBg9Kn0n5W5gOQ7LL9eqBgmec1uUqRZ3d+0LJ89ZcAQJggQLKlviPDRq56YfW2SSld22Z8YFHQSyvcqnkjowZUBZGA+1pnRFuxgvm97AoR1TQ==
ARC-Authentication-Results	i=1; mx.microsoft.com 1; spf=pass (sender ip is 2607:f8b0:4864:20::f29) smtp.rcpttodomain=mit.edu smtp.mailfrom=andrew.cmu.edu; dmarc=pass (p=none sp=none pct=100) action=none header.from=cmu.edu; dkim=pass (signature was verified) header.d=cmu.edu; arc=none (0)
DKIM-Signature	v=1; a=rsa-sha256; c=relaxed/relaxed; d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=1NzoF6taRv0gSrHkXX8MALmIrUFhOwYeE6O5NOEa7Ok=; b=Z3pdChvR1Rm4cZfg+WqplQHVZnXCAsArjh0earSgWPotzs5tGPVCBI4M55ZZMppotwOUGLdV9q9UpS425Yl4KoY5tIMwy73VDRnjt0lUlufcSMCBZBOKwiYf3FoWiSaNMMclZh3bj0SO8dcsKWGiiqOAc0M90aBIAJcR+9VpPug=
Authentication-Results	spf=pass (sender IP is 2607:f8b0:4864:20::f29) smtp.mailfrom=andrew.cmu.edu; dkim=pass (signature was verified) header.d=cmu.edu;dmarc=pass action=none header.from=cmu.edu;
Received-SPF	Pass (protection.outlook.com: domain of andrew.cmu.edu designates 2607:f8b0:4864:20::f29 as permitted sender) receiver=protection.outlook.com; client-ip=2607:f8b0:4864:20::f29; helo=mail-qv1-xf29.google.com; pr=C
DKIM-Signature	v=1; a=rsa-sha256; c=relaxed/relaxed; d=cmu.edu; s=google-2021; t=1741307342; x=1741912142; darn=mit.edu; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=1NzoF6taRv0gSrHkXX8MALmIrUFhOwYeE6O5NOEa7Ok=; b=DpJrWIx4gOEXp0UKUnrf2HhfZTX2NIq+JrowfNy4yANT1X7ZigPHzQi8cYiI1Sf+Vn 1xTeYrv6AZ+SusxB+XenkNS8DQnsfwpzj9Tz+s06NSGiFEheW/GhyhA26F1oMO5KJTNt gNcM0IMJeIhJgIJjZxDASaEeJa7k/tOFi2gg81adMOgObyWgxfkaTw0w2wVsvJTZtuIe BIrix8lBqwDl+IVzc3v6aXw70jj4DnY21QPuhzKXtReKIlNiHtaMF+k7RIKRu+h1jfHB iUBg3S7DsPALhR+w2ugCU0T6oHuFE14FF3rykBqCqEsmxJXaD2n0CchFScpNAOY+V5co 5zAg==
X-Google-DKIM-Signature	v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741307342; x=1741912142; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=1NzoF6taRv0gSrHkXX8MALmIrUFhOwYeE6O5NOEa7Ok=; b=ci2VfD4CynZ8gfIo+LBwTehEL8loLVqcPvW7aeYOkwCoI+GwBXUGTVOz7+EP/yRg7K I4t5bgcWpxOUFgHT+/rMgP/KyAMD3W5QkcDzrFMp0NCHyOBv+ApfpfPbRNL6XJpxpHC3 e0M1QvLcRYlvn4dnXG+QK0Kk4mViutP3CDrBRN91Ti15vw3UORRU9zAGqGcdansaftDa 4Hkg8ENyV6wGTsiYkiMw+tJlWtuPg+xk7+pzdBK//xYvR9utMOFT6w+kzsA4NQqpBnDf 1h/+A6k8d7LtdrnCMeM+vgzd98TH1y5AX90vf2AFQyNxcsmS2RYNcSu1XHS9XBUsvREm k/0A==
X-Forwarded-Encrypted	i=1; AJvYcCX8PJluJtltSJ7bf0aENJseP+2MQMqRojXSwOqhPKYBmOISMVzONpFLy2hUsWmHzHakLbwnRe3JlQ==@mit.edu
X-Gm-Message-State	AOJu0YxoqUhOMMQIF8R+u9T2yWKrghpM7Qroii6kl/KNmJ3QwZAOTNZZ W00FKmdK2IczvsaaOR9661POpET6l5Ow91rJMU+bY5BhJ3ISh3LXDrSqWxYgJFw7FNkajA6fHlz wkbZA9VWifyAtIygW/72hnNYH8LMy1SqnbEnU
X-Gm-Gg	ASbGncsViQe+IuOJwL82kp/K7efpx33sDKL3/ehtiudSH0FpCg7Rp8CFKSizpjO8s9x RBj5BhN6iKPo6/lXK+EKKKaVvlgZ0RfXBGaM0r4/IOMha3tAJ3xWfvG3G4T7sJh9gSaCAuVSP/h wIe/1Hx201i61f9BAEYimO1So4gq0=
X-Google-Smtp-Source	AGHT+IEXyVai3PlMumuqADsBpQhoiD1cN0L5RPaBbx0TbSBQlzXYrFMsryQbCUrcdq8GvCPoEouHA79mbRgxgCFgyVM=
X-Received	by 2002:a05:6214:c64:b0:6d8:8fdd:9791 with SMTP id 6a1803df08f44-6e90061be7cmr15171586d6.25.1741307342169; Thu, 06 Mar 2025 16:29:02 -0800 (PST)
In-Reply-To	<CAGMFw4gUmoyOXkRNR34ks7D5iwWi+nWKm9A3y5XQ55X3G+1B3Q@mail.gmail.com>
X-Gm-Features	AQ5f1JpGtX46_6wMgV0XDfBCbkweYLQfTM4ZE3_2UqAwkU_rueZEJPD7-OqKN1c
X-EOPAttributedMessage	0
X-EOPTenantAttributedMessage	64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType	Email
X-MS-TrafficTypeDiagnostic	MN1PEPF0000F0E2:EE_\|MW6PR01MB8414:EE_
X-MS-Office365-Filtering-Correlation-Id	871706f2-323f-4728-f3cc-08dd5d0f0fe6
X-LD-Processed	64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties	SA
X-MS-Exchange-SenderADCheck	0
X-MS-Exchange-AntiSpam-Relay	0
X-Microsoft-Antispam	BCL:0; ARA:13230040\|376014\|9140799003\|43022699015\|48200799018\|61400799027\|8096899003\|13003099007;
X-Microsoft-Antispam-Message-Info	iM+CI0evvvrD2So97DA3t2FtxlAcEKUoLlfRFcXDU50HNYugz4Al6FOoQ/qdum0G7QhknsGgrbCxya4yiaHXSnAnFjf/BNeVTK9H2o8GN4IK/MKMCrxB9fX9FGagf9x1pE6VYewNKZG9+pYRn6fwfpxHj8M3tAG0UkWZznnwMj29AZNPMPt1cfU0JgGnV57ej99h6V3qq5ZfrF2sfwV+60uQlS2PtmavAU6sENRg5n2Ff2Kf1GMrBRy6nbc+TQInofzk5tOuBcfsk3LZPBxdyICclUssUtQr65wlGruqVV+Qr50zk1uq5KUeSxhEvMY/2am5LFVle7ZoeyxUwuXg62iSrXJaIVPo3V/0fXTvYOzWSmFMD53oT9elyonr44A6+2YrPfB52f7aHoLKIbkNqELqHAdxPJthM4pAqtAsWLAKPm9+jyb29VnU66eQKF4NX6M86p4CHSU2uKA62kRz8UAj/4ka+1tBcaLc5bLaxWatxwBCvlCBoEqPvQ+g/7M1yCuXHbhX0okmf9lw/nl/XUeEaDL0j91W5l/CXtJVC1ZXF8yf/AKLLyVeRaa9PFi2P51Ej7sYJGju4WKUtETB+jST0JekJ/xus2WoQlEy570y1UP33BkECVrHMe086jPNC8HtP+nm4rVLEbSSXUO2+LIEsktFW7T5Yvi237/NVaJAim8Vfe70BrJ4YmgRGq2xTP0FiNtyo241neO7TDJwCtCKBedLswr8Hk1ii8thnDAJa3gT75BFra8xBYf7sT1MnO7vY1/cz/pV4loWE7bp2nmCb1cmwWco0kxH5c/6nIhs+DF5wSGyVV9ucd4Mm1sRQebfMjxCLz4yOcMIKocU3OVkMlPHZA0e1/Kn93SihLEzpdx1j5A4LzAJPKOf+nktOCuU7CMvwtv/4BipxdV0zbjf4+VHkxGTAR13IM+epPXl8W2AQlRAjVu2bRuY2k8Ikp8GMzyumU7Wf0VL+sP/ZHMDT4njTYarp4A9BNC0ja3+pxuFtwa6bKHQ7+s71OxdquH9Iva7SDGbUuab/F3nDFIckB1O6/1fJysp6QhT8oborKf5iLs8shRuRKL14lZidJZ+cippTlaPMEFRSSwAiCD6+bs+5xbkRfkstA9sgFsJLjLfmmohVH+YcuIC9FxDBWgBPaNyiaXt8YimFi34dqqVqGwkfqzFZ+4RzvVahYaxT1NzfrkZ1rFpPM15vztf/YEGoKR8z+aV8ET5xA+ytP8s2CZWiZggKs7alxgWGFCx7eIGiq6E8ajfCiwEzhZ7DkO6seFpUQM+S4wDQq7R/cckr7U8Yli3/F5VPXDtInsxmmjCGHFfFAhqVpc29GiUf84OuXXJIvPVZ7fGGwvJe7zfs4bdVcMihIbbHFn/pZiFquFexbHIwRftxKehkc91mk9tCNZeX2WD8PUq+s/Z9Trh/y9nIVZnLPnNZSwthBU=
X-Forefront-Antispam-Report	CIP:2607:f8b0:4864:20::f29; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:mail-qv1-xf29.google.com; PTR:mail-qv1-xf29.google.com; CAT:NONE; SFS:(13230040)(376014)(9140799003)(43022699015)(48200799018)(61400799027)(8096899003)(13003099007); DIR:OUT; SFP:1102;
X-ExternalRecipientOutboundConnectors	64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-Auto-Response-Suppress	DR, OOF, AutoReply
X-OriginatorOrg	mitprod.onmicrosoft.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime	07 Mar 2025 00:29:02.7446 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id	871706f2-323f-4728-f3cc-08dd5d0f0fe6
X-MS-Exchange-CrossTenant-Id	64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource	MN1PEPF0000F0E2.namprd04.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs	Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader	Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped	MW6PR01MB8414
X-Content-Filtered-By	Mailman/MimeDel 2.1.34
X-BeenThere	kerberos@mit.edu
X-Mailman-Version	2.1.34
Precedence	list
List-Id	The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe	<https://mailman.mit.edu/mailman/options/kerberos>, <mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive	<http://mailman.mit.edu/pipermail/kerberos/>
List-Post	<mailto:kerberos@mit.edu>
List-Help	<mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe	<https://mailman.mit.edu/mailman/listinfo/kerberos>, <mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID	<CALF+FNxnh=iuZZoXWdFnsLEtLv5oCeEQfUVs0TnHb1mWq=znwA@mail.gmail.com>
X-Mailman-Original-References	<42e99884-8cae-4664-9f29-79cd49c5c5e7@kania-online.de> <CAGMFw4hjK8CHYJWOiQb9+AvHQXZHkA6C_21eRNOwx5y6XTefVg@mail.gmail.com> <CALF+FNwB=07CbW5Do4E+C-C6D8T3bXhUX4PMHbkdnwGT9ewXfw@mail.gmail.com> <CAGMFw4gUmoyOXkRNR34ks7D5iwWi+nWKm9A3y5XQ55X3G+1B3Q@mail.gmail.com>
Xref	csiph.com comp.protocols.kerberos:5391

Show key headers only | View raw

On Thu, Mar 6, 2025, 19:16 Michael B Allen <ioplex@gmail.com> wrote:

> On Thu, Mar 6, 2025 at 5:57 PM Jeffrey Hutzelman <jhutz@cmu.edu> wrote:
>
>> Years ago we patched Cyrus SASL to avoid this problem by allowing any
>> principal whose keys appear in the keytab, but that unfortunately was never
>> merged.
>>
>
> I thought that's how kerberos worked by default - just use the spn in the
> ap-req to lookup the base key from the keytab or wherever.
>
> Sounds gssapi got in the way of itself.
>

GSSAPI makes it easy to do this right, and that's the advice we've been
giving for at least 20 years. Unfortunately, or also makes it easy to get
the idea that servers have to acquire a credential to accept connections.

** RFC 4120 specifically said not to rely on insecure DNS queries for this,
>> but that advice is unfortunately frequently ignored, by applications and
>> libraries in ways that are hard to avoid. Fortunately, everyone seems to
>> follow the corresponding advice for TLS and X.509 PKI, which essentially
>> means that as long as you use ldaps and validate certificates, the reverse
>> DNS lookup before calling SASL/GSS/Kerberos doesn't introduce any problem.
>>
>
> Deploying CA certs is annoying.
>
> I've been thinking about adding a utility to my toolchain that does an
> LDAP bind with Kerberos and, if and only if mutual is successful, grab the
> CA cert from the SSL layer and offer to install it (like
> into jre/lib/security/cacerts for java in my case).
>

That seems reasonable, if you trust the server to send the right CA cert.
It would also work to use a Kerberos authenticated ssh connection, or set
up something behind https://www.eyrie.org/~eagle/software/remctl/ to
provide a CA cert. I agree, deploying CA certs or anything you can trust is
annoying. Once you've done that once, better to make use of it for others.

>

Back to comp.protocols.kerberos | Previous | Next | Find similar

Thread

Re: spn alias Jeffrey Hutzelman <jhutz@cmu.edu> - 2025-03-06 19:28 -0500

csiph-web