Difference between revisions of "Anonymous kerberos"
SamHartman (talk | contribs) (document anonymous) |
SamHartman (talk | contribs) m (fix formatting) |
||
Line 2: | Line 2: | ||
[[Principal|principals]] to authenticate to a remote service without disclosing their identity.There are two primary use cases: |
[[Principal|principals]] to authenticate to a remote service without disclosing their identity.There are two primary use cases: |
||
− | + | # Principals with no Kerberos identity at all authenticating to create an identity or to protect some communication |
|
− | + | # Principals authenticating to some external service, disclosing that they are affiliated with a particular realm but not disclosing their full identity. |
|
There are two modes of anonymous Kerberos to meet these objectives: completely anonymous and realm-exposed. |
There are two modes of anonymous Kerberos to meet these objectives: completely anonymous and realm-exposed. |
||
Line 11: | Line 11: | ||
In completely anonymous Kerberos, a principal can authenticate to a realm with no Kerberos identity in that realm. Diffie-Hellman key exchange is used to establish a shared secret.. To use completely anonymous Kerberos: |
In completely anonymous Kerberos, a principal can authenticate to a realm with no Kerberos identity in that realm. Diffie-Hellman key exchange is used to establish a shared secret.. To use completely anonymous Kerberos: |
||
− | + | # Configure the KDC to support pkinit, setting at least <tt>pkinit_identity</tt> on the KDC. |
|
− | + | # Set <tt>pkinit_anchors</tt> so that the client can verify the KDC certificate |
|
− | + | # Create the <tt>WELLKNOWN/ANONYMOUS</tt> principal in the realm to signal that fully anonymous Kerberos is enabled. |
|
− | On the client use < |
+ | On the client use <tt> kinit -n @<i>REALM</i></tt> or <tt> kadmin -n |
− | @<i>REALM</i></ |
+ | @<i>REALM</i></tt> to request anonymous tickets. In klist and in |
service ACLs the resulting authentication will use the |
service ACLs the resulting authentication will use the |
||
− | < |
+ | <tt>WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS</tt> [[well known principal]]. |
== Realm Exposed Anonymous == |
== Realm Exposed Anonymous == |
||
Line 24: | Line 24: | ||
Alternatively, clients can authenticate normally to the KDC but request that the KDC return a credential that only exposes the client's realm. The MIT Kerberos client is believed to support this mode as of Kerberos 1.8, although the KDC currently does not support this mode. |
Alternatively, clients can authenticate normally to the KDC but request that the KDC return a credential that only exposes the client's realm. The MIT Kerberos client is believed to support this mode as of Kerberos 1.8, although the KDC currently does not support this mode. |
||
− | On the client, use < |
+ | On the client, use <tt>kinit -n <i>principal</i></tt> to authenticate. A password or other credential will be required just as if the <tt>-n</tt> flag is not included. However, the resulting principal will be <tt>WELLKNOWN/ANONYMOUS@<i>REALM</i></tt>. |
== Implementation Status == |
== Implementation Status == |
||
− | xi |
||
+ | |||
See [[Projects/Anonymous pkinit]] for implementation status. |
See [[Projects/Anonymous pkinit]] for implementation status. |
Revision as of 15:09, 4 January 2010
Anonymous kerberos provides a mechanism for principals to authenticate to a remote service without disclosing their identity.There are two primary use cases:
- Principals with no Kerberos identity at all authenticating to create an identity or to protect some communication
- Principals authenticating to some external service, disclosing that they are affiliated with a particular realm but not disclosing their full identity.
There are two modes of anonymous Kerberos to meet these objectives: completely anonymous and realm-exposed.
Completely anonymous
In completely anonymous Kerberos, a principal can authenticate to a realm with no Kerberos identity in that realm. Diffie-Hellman key exchange is used to establish a shared secret.. To use completely anonymous Kerberos:
- Configure the KDC to support pkinit, setting at least pkinit_identity on the KDC.
- Set pkinit_anchors so that the client can verify the KDC certificate
- Create the WELLKNOWN/ANONYMOUS principal in the realm to signal that fully anonymous Kerberos is enabled.
On the client use kinit -n @REALM or kadmin -n @REALM to request anonymous tickets. In klist and in service ACLs the resulting authentication will use the WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS well known principal.
Realm Exposed Anonymous
Alternatively, clients can authenticate normally to the KDC but request that the KDC return a credential that only exposes the client's realm. The MIT Kerberos client is believed to support this mode as of Kerberos 1.8, although the KDC currently does not support this mode.
On the client, use kinit -n principal to authenticate. A password or other credential will be required just as if the -n flag is not included. However, the resulting principal will be WELLKNOWN/ANONYMOUS@REALM.
Implementation Status
See Projects/Anonymous pkinit for implementation status.