logo_kerberos.gif

Difference between revisions of "Projects/HTTP Transport"

From K5Wiki
Jump to: navigation, search
(Address current state of MSFT.)
Line 11: Line 11:
 
===Heimdal===
 
===Heimdal===
   
Heimdal has such a mechanism [https://github.com/heimdal/heimdal/blob/master/lib/krb5/send_to_kdc.c#L504 as seen here]. It uses a GET request with a base64-encoded version of the UDP traffic. This is not particularly in keeping with the HTTP specification, since a GET request should not incur change to the server. Additionally, Apache has a URL length for GET of about 4000 characters, and requests of this nature have been measured as close to that limit and may exceed it in practice. It uses a separate field in krb5.conf for specification of the http_proxy to be used. There is almost no evidence of this in use in active deployment.
+
Heimdal has such a mechanism [https://github.com/heimdal/heimdal/blob/master/lib/krb5/send_to_kdc.c#L504 as seen here]. It uses a GET request with a base64-encoded version of the UDP traffic. Leaving aside questions of idempotence and RESTfulness, Apache has a URL length for GET of about 4000 characters, and requests of this nature have been measured as close to that limit and may exceed it in practice. It uses a separate field in krb5.conf for specification of the http_proxy to be used. There is almost no evidence of this in use in active deployment.
   
 
===Microsoft===
 
===Microsoft===
   
Microsoft has documented their mechanism, MS-KKDCPP, [http://msdn.microsoft.com/en-us/library/hh553774.aspx here]. It uses POST requests which is much more in keeping with the HTTP specification than GET, and it also specifies HTTPS to be used in all cases, though it is not known whether it will respond to plain HTTP.
+
Microsoft has documented their mechanism, MS-KKDCPP, [http://msdn.microsoft.com/en-us/library/hh553774.aspx here]. It uses POST requests which is much more in keeping with the HTTP specification than GET, and it also specifies HTTPS to be used in all cases, though Microsoft's implementation does not work over plain HTTP.
   
 
==Implementation Process==
 
==Implementation Process==
   
HTTP transport will be implemented first, followed by HTTPS transport. We prefer Microsoft interoperability to Heimdal interoperability because despite the added complexity we feel it to be more in keeping with the HTTP specification. We will implement HTTP and HTTPS transports that correspond to our interpretation of Microsoft's specification. Parallel to implementation, we will attempt to set up a Microsoft KDC with proxying enabled so that we can test our implementation. For HTTPS transportation, we will first implement OpenSSL support, with NSS support to follow.
 
  +
HTTPS transport will be implemented first, followed optionally by HTTP transport. We will implement HTTPS transport that corresponds to Microsoft's specification. We will implement OpenSSL support initially and optionally may add NSS support at a later date.
   
 
==Implementation Design==
 
==Implementation Design==
Line 28: Line 28:
   
 
* We will need to build against a cryptography library, and to add options to the build system for such. We will include an option to disable HTTPS support (i.e., build against no cryptographic library).
 
* We will need to build against a cryptography library, and to add options to the build system for such. We will include an option to disable HTTPS support (i.e., build against no cryptographic library).
 
As we have not yet been able to examine traffic from a Microsoft KDC with proxy enabled, our current working protocol for traffic is: POST request to /KdcProxy with body consisting of the base64-encoded version of the Kerberos request, with response from the MS-KKDCP consisting of the base64-encoding of the KDC's reply. Preliminary testing suggests that this is not what Microsoft uses, but the server isn't particularly chatty about errors.
 
   
 
==Test Plan==
 
==Test Plan==
   
Due to the nature of the changes, it will be extremely difficult to write test cases for the new code. Instead, code has been written to implement the "other side" (on the KDC-end) of HTTP/HTTPS transport as a reference implementation. That code, including its implementation of the client-end of the HTTP/HTTPS pipe, can be found [https://github.com/frozencemetery/krb-proxies here].
+
Due to the nature of the changes, it will be extremely difficult to write test cases for the new code. However, the code can be tested by standing up Microsoft's implementation and running against that.
   
 
==Review==
 
==Review==
Line 46: Line 44:
   
 
===Discussion===
 
===Discussion===
From [http://mailman.mit.edu/pipermail/krbdev/2013-August/011698.html mail from ghudson]:
+
The first version had comments from [http://mailman.mit.edu/pipermail/krbdev/2013-August/011698.html mail from ghudson], which we attempted to address.
 
* {{project-block}} Should remove the tcp: and udp: specifiers from the `kdc` configuration line and write a separate case for http: and https: instead of trying to integrate them
 
 
* {{project-block}} Switch to non-portable socket enumerator to portable protocol enumerator
 
 
* {{project-block}} Remove cut-and-paste between service_tcp_fd and service_http_fd in favor of more careful design
 

Revision as of 12:27, 23 August 2013

This is an early stage project for MIT Kerberos. It is being fleshed out by its proponents. Feel free to help flesh out the details of this project. After the project is ready, it will be presented for review and approval.


Overview

This project intends to add HTTP and HTTPS transport to Kerberos traffic. This change is useful especially for firewall configurations that allow traffic on port 80/443 but not on port 88.

Precedent

Both Heimdal and Microsoft Kerberos have such a technology.

Heimdal

Heimdal has such a mechanism as seen here. It uses a GET request with a base64-encoded version of the UDP traffic. Leaving aside questions of idempotence and RESTfulness, Apache has a URL length for GET of about 4000 characters, and requests of this nature have been measured as close to that limit and may exceed it in practice. It uses a separate field in krb5.conf for specification of the http_proxy to be used. There is almost no evidence of this in use in active deployment.

Microsoft

Microsoft has documented their mechanism, MS-KKDCPP, here. It uses POST requests which is much more in keeping with the HTTP specification than GET, and it also specifies HTTPS to be used in all cases, though Microsoft's implementation does not work over plain HTTP.

Implementation Process

HTTPS transport will be implemented first, followed optionally by HTTP transport. We will implement HTTPS transport that corresponds to Microsoft's specification. We will implement OpenSSL support initially and optionally may add NSS support at a later date.

Implementation Design

  • We will expand the definition of the `kdc` field (and related fields including kpasswd_server and admin_server) in krb5.conf to take a URL (optionally including page) in order to allow HTTP or HTTPS transport. The new syntax will look like this:
 kdc = (http|https)://<kdc.addr>[:<port>][/<page>]

Note that the syntax (and parser) does not change in the non-HTTP{,S} cases. In order to facilitate this change, we will need to stop carrying a socktype around in the code that is either SOCK_DGRAM or SOCK_STREAM, and instead carry around our own protocol designator.

  • We will need to build against a cryptography library, and to add options to the build system for such. We will include an option to disable HTTPS support (i.e., build against no cryptographic library).

Test Plan

Due to the nature of the changes, it will be extremely difficult to write test cases for the new code. However, the code can be tested by standing up Microsoft's implementation and running against that.

Review

This section documents the review of the project according to Project policy. It is divided into multiple sections. First, approvals should be listed. To list an approval type

#~~~~

(hash mark followed by four tilde characters) on its own line. The next section is for summarizing discussion, which should take place on krbdev@mit.edu. Provide links to the archive at http://mailman.mit.edu/pipermail/krbdev/ if appropriate. Blocking objections can be noted with {{project-block}}.

Approvals

Discussion

The first version had comments from mail from ghudson, which we attempted to address.