Comments on: Back to My Mac: Peer to Peer Kerberos http://www.painless-security.com/blog/2007/10/31/p2p-kerberos Sam Hartman on Security for Real-World Users Tue, 15 Mar 2011 10:50:34 +0000 hourly 1 http://wordpress.org/?v=3.0.5 By: MacTroll http://www.painless-security.com/blog/2007/10/31/p2p-kerberos/comment-page-1#comment-776 MacTroll Wed, 09 Jul 2008 14:26:07 +0000 http://www.painless-security.com/blog/2007/10/p2p-kerberos/#comment-776 PKI isn't used for the private wide area DNS registration. Instead there's a shared secret stashed away in the System Keychain. This is used for both the DNS registration ( and DNS reading BTW) and for the IPSec shared secret. PKI isn’t used for the private wide area DNS registration. Instead there’s a shared secret stashed away in the System Keychain. This is used for both the DNS registration ( and DNS reading BTW) and for the IPSec shared secret.

]]> By: hartmans http://www.painless-security.com/blog/2007/10/31/p2p-kerberos/comment-page-1#comment-644 hartmans Tue, 13 May 2008 10:46:41 +0000 http://www.painless-security.com/blog/2007/10/p2p-kerberos/#comment-644 I'm not surprised. That was the discovery mechanism Apple and MIT were discussing when we went through a design review. I'm surprised if your claim that a certificate authorization is involved in wide-area Bonjour; I don't know how to do that with the DNS protocols. <p> The Kerberosv5 part of our local authentication authority identifies a .mac certificate that is used for pkinit (RFC 4556); the local KDC accepts that certificate instead of a password.</p> I’m not surprised. That was the discovery mechanism Apple and MIT were discussing when we went through a design review. I’m surprised if your claim that a certificate authorization is involved in wide-area Bonjour; I don’t know how to do that with the DNS protocols.
The Kerberosv5 part of our local authentication authority identifies a .mac certificate that is used for pkinit (RFC 4556); the local KDC accepts that certificate instead of a password.

]]> By: dre http://www.painless-security.com/blog/2007/10/31/p2p-kerberos/comment-page-1#comment-639 dre Mon, 12 May 2008 23:46:38 +0000 http://www.painless-security.com/blog/2007/10/p2p-kerberos/#comment-639 Woops. I used angle brackets in my previous comment. The dns-sd line should read: dns-sd -Q “_kerberos.name.local” txt (replace 'name' with the bonjour name of a machine on the local net') Woops. I used angle brackets in my previous comment. The dns-sd line should read:

dns-sd -Q “_kerberos.name.local” txt

(replace ‘name’ with the bonjour name of a machine on the local net’)

]]> By: Andre LaBranche http://www.painless-security.com/blog/2007/10/31/p2p-kerberos/comment-page-1#comment-638 Andre LaBranche Mon, 12 May 2008 23:14:59 +0000 http://www.painless-security.com/blog/2007/10/p2p-kerberos/#comment-638 It appears as though multicast dns is used as the realm discovery method. e.g. dns-sd -Q "_kerberos..local" txt (replace with the bonjour name of a machine on the local net) The result is some hex. Drop it into xxd -r -c 256 to get the LKDC realm name. The ability to discover the LKDC realm name of another machine is presumably *not* part of of any standard libraries, but rather implemented somewhere in the service clients for vnc, cifs, afpserver (the only services kerberized within an LKDC as of 10.5). Regarding wide-area bonjour, it appears that access to a user's dotmac dns name space is authorized with a certificate. e.g. I can query for _kerberos...members.mac.com on my machine that is 'bound' to back to my mac, but others are not able to perform the same lookup. This is possibly related to the Kerberosv5Cert portion of the AuthenticationAuthority attribute of my (local) user record. This is all pretty interesting stuff, and I'm trying to compile as much data as I can about how this is all implemented. If anybody knows of any good resources or discussions, please email them to me at echo "qer@znp.pbz" | tr N-ZA-Mn-za-m A-Za-z Cheers! -Andre It appears as though multicast dns is used as the realm discovery method. e.g.

dns-sd -Q “_kerberos..local” txt

(replace with the bonjour name of a machine on the local net)

The result is some hex. Drop it into xxd -r -c 256 to get the LKDC realm name.

The ability to discover the LKDC realm name of another machine is presumably *not* part of of any standard libraries, but rather implemented somewhere in the service clients for vnc, cifs, afpserver (the only services kerberized within an LKDC as of 10.5).

Regarding wide-area bonjour, it appears that access to a user’s dotmac dns name space is authorized with a certificate. e.g. I can query for _kerberos…members.mac.com on my machine that is ‘bound’ to back to my mac, but others are not able to perform the same lookup. This is possibly related to the Kerberosv5Cert portion of the AuthenticationAuthority attribute of my (local) user record.

This is all pretty interesting stuff, and I’m trying to compile as much data as I can about how this is all implemented. If anybody knows of any good resources or discussions, please email them to me at echo “qer@znp.pbz” | tr N-ZA-Mn-za-m A-Za-z

Cheers!
-Andre

]]> By: hartmans http://www.painless-security.com/blog/2007/10/31/p2p-kerberos/comment-page-1#comment-7 hartmans Tue, 20 Nov 2007 20:00:25 +0000 http://www.painless-security.com/blog/2007/10/p2p-kerberos/#comment-7 I don't know of any such description. I asked someone on my team to get me packet traces to confirm that things hadn't changed since our previous discusisons with Apple. I don’t know of any such description. I asked someone on my team to get me packet traces
to confirm that things hadn’t changed since our previous discusisons with Apple.

]]> By: Hamish Allan http://www.painless-security.com/blog/2007/10/31/p2p-kerberos/comment-page-1#comment-6 Hamish Allan Fri, 16 Nov 2007 17:51:06 +0000 http://www.painless-security.com/blog/2007/10/p2p-kerberos/#comment-6 Do you know if there is a detailed description of the technology behind Back to my Mac available anywhere? Most blogs that talk about it just say "it uses IPSec, wide-area Bonjour and NAT-PMP", but don't go any further. Do you know if there is a detailed description of the technology behind Back to my Mac available anywhere? Most blogs that talk about it just say “it uses IPSec, wide-area Bonjour and NAT-PMP”, but don’t go any further.

]]>