Hi there I wasn't sure if this was more suited to the krbdev list, but I decided to start here first. Please advise if this belongs elsewhere.
In a former life, I worked with some folks involved in the heimdal project and I have built up a project on top of some interesting heimdal developments. However heimdal does not seem to be getting much love anymore and I would like to migrate all this to MIT kerberos, if possible. The project is "HCP", which stands for Host Cryptographic Provisioning. https://github.com/geoffthorpe/newhcp The project's initial goal/feature is to use TPMs (including orchestration of software TPM instances, where appropriate) to provide an enrollment-based attestation framework. A second goal/feature is to provide container-based tooling to automate the bring-up and networking of a sample "fleet" of hosts, including the attestation services and some sample hosts/workloads whose credentials are bootstrapped and maintained over time using the attestation framework. Then there's the third goal/feature - a workflow demonstrating Kerberos-based services and clients, where all orchestration is PKI-based (distributed via the attestation framework). I.e. where there's no need to maintain user and service principals on the KDCs, that's the point. This also assumes that both the PKI and kerberos layers rotate keys/versions over time. The currently-implemented workflow demonstrates ssh and nfsv4 running on top of the kerberos layer. More here on the kerberos specifics; https://github.com/geoffthorpe/newhcp/blob/main/doc/stateless-kdc.md Among the things that I'm currently depending on in heimdal that might be different or missing in the MIT codebase are; * "namespace principals" - these are essentially wildcard principals registered with the KDC that support a derivation mechanism for determining the service keys for any given principal within the namespace scope and for any given time (the kvno is determined from the time). I.e. no need to register service principals with the KDC, just a small set of namespace principals that encompass the FQDNs of all expected service principals. * "synthetic principals" - this is the capability of the KDC to issue TGTs for arbitrary principals, as extracted from the x509v3 certificate used in pkinit. * a persistent, PKI-based kinit - i.e. where an instance of kinit ("kinit -C" in heimdal) will automatically renegotiate and update tickets over time to respect the key-rotiation period, and will reread the x509v3 cred each time (so that any updates to the local PKI cred also get picked up). * a "kadmin ext_keytab" enhancement that supports namespace principals. I.e. at any given time, it will export a keytab with the kvnos that are currently relevant (including any kvnos that might still be in circulation and valid, as well as any kvnos that are going to become valid within a configurable window of time). I first took a brief look at migrating this whole system and workflow over to MIT kerberos some time ago, and I very quickly hit the skids. I've had to shelve that for a while but I'm keen to try again. I'm wondering if anyone with more familiarity with the MIT tools and code might be interested in collaborating? Feedback welcome, thanks, Geoff ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
