[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Was a smartcard used to get the ticket?

Phil Fisher wrote:
> Is it possible to find out if a smartcard was used to get a ticket?
> A ticket is obtained with kinit. This may be with or without the -C
> PKCS11:... option to use a smartcard.
> My application then uses gss_init_sec_context() with
> GSS_C_NO_CREDENTIAL to get the default. It would be useful to know if
> a smartcard was used so that:
>   1) an administrator can insist on smartcards being used.
>   2) the application can adjust its response to a smartcard being
> removed.
> I've not found anything relevant in the documentation or with Google.
> nm on libgssapi.so shows gsskrb5_extract_authz_data_from_sec_context()
> which looks promising, but I'm not sure what it gives or how to use
> it. I assume that it returns an AuthorizationData structure, but I'm
> not clear if this contains the information I need or what value the
> ad_type parameter should have.
> Is what I want possible? Is
> gsskrb5_extract_authz_data_from_sec_context() the right way to get the
> information? Is its use documented somewhere?
> I'm using Heimdal 1.0.

I don't know about heimdal specifically but this may be related to a problem
Douglas Engert recently brought up in the IETF - how do you communicate
the "level of assurance" of the authentication to the relying party through
kerberos? His actual usecase is very similar to yours.

Using pkinit you might be able to solve the problem if you can assume that
your CAs only issue smartcards or soft-tokens but not both but examining
the certchain.

In general or if you are in an n-tier situation where the RP needs to call a
non-keberized service (eg a webservice) the tools simply don't exist today.

We had a conversation ("bar-BOF") about this and related topics at the
Chicago IETF and there seems to be enough interest to setup a mailing-
list and maybe hold a bof about (specifically) how to use SAML as a tool
for communicating information about authz and auth context in kerberos.

If you're interested there will probably be announcements of any work and
or mailinglists at the krb-wg list and probably here too.

    Cheers Leif