Hi.
Can anyone point me to some methods to benchmark and/or audit Kerberos v5?

For example, SSH:
Manual
Read the RFCs and specs.
Semi-automatic.
jtesta/ssh-audit: SSH server & client security auditing (banner, key exchange, encryption, mac, compression, compatibility, security, etc) (github.com)<https://github.com/jtesta/ssh-audit/>
Automatic
SSH Configuration Auditor (ssh-audit.com)<https://www.ssh-audit.com/>


TLS example upon request.

THIS MESSAGE IS FOR THE USE OF THE INTENDED RECIPIENT(S) ONLY AND MAY CONTAIN INFORMATION THAT IS PRIVILEGED, PROPRIETARY, CONFIDENTIAL, AND/OR EXEMPT FROM DISCLOSURE UNDER ANY RELEVANT PRIVACY LEGISLATION. No rights to any privilege have been waived. If
you are not the intended recipient, you are hereby notified that any review, re-transmission, dissemination, distribution, copying, conversion to hard copy, taking of action in reliance on or other use of this communication is strictly prohibited. If you
are not the intended recipient and have received this message in error, please notify me by return e-mail and delete or destroy all copies of this message.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

UHJlZmVyYWJseSBzb21ldGhpbmcgc21hbGxlciBhbmQgbW9yZSBmb2N1c2VkIHRoYW4gbm1hcCBv ciBPcGVuU0NBUC4g8J+YiQ0KDQpGcm9tOiBCcmVudCBLaW1iZXJsZXkNClNlbnQ6IFdlZG5lc2Rh eSwgRmVicnVhcnkgMTQsIDIwMjQgMTI6NDQgUE0NClRvOiBrZXJiZXJvc0BtaXQuZWR1DQpTdWJq ZWN0OiBQcm90b2NvbCBiZW5jaG1hcmtpbmcgLyBhdWRpdGluZyBpbnF1aXJ5DQoNCkhpLg0KQ2Fu IGFueW9uZSBwb2ludCBtZSB0byBzb21lIG1ldGhvZHMgdG8gYmVuY2htYXJrIGFuZC9vciBhdWRp dCBLZXJiZXJvcyB2NT8NCg0KRm9yIGV4YW1wbGUsIFNTSDoNCiAgICAgICAgICAgICAgIE1hbnVh bA0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUmVhZCB0aGUgUkZDcyBhbmQgc3BlY3Mu DQogICAgICAgICAgICAgIFNlbWktYXV0b21hdGljLg0KICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAganRlc3RhL3NzaC1hdWRpdDogU1NIIHNlcnZlciAmIGNsaWVudCBzZWN1cml0eSBhdWRp dGluZyAoYmFubmVyLCBrZXkgZXhjaGFuZ2UsIGVuY3J5cHRpb24sIG1hYywgY29tcHJlc3Npb24s IGNvbXBhdGliaWxpdHksIHNlY3VyaXR5LCBldGMpIChnaXRodWIuY29tKTxodHRwczovL2dpdGh1 Yi5jb20vanRlc3RhL3NzaC1hdWRpdC8+DQogICAgICAgICAgICAgICBBdXRvbWF0aWMNCiAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgIFNTSCBDb25maWd1cmF0aW9uIEF1ZGl0b3IgKHNzaC1h dWRpdC5jb20pPGh0dHBzOi8vd3d3LnNzaC1hdWRpdC5jb20vPg0KDQoNClRMUyBleGFtcGxlIHVw b24gcmVxdWVzdC4NCg0KVEhJUyBNRVNTQUdFIElTIEZPUiBUSEUgVVNFIE9GIFRIRSBJTlRFTkRF RCBSRUNJUElFTlQoUykgT05MWSBBTkQgTUFZIENPTlRBSU4gSU5GT1JNQVRJT04gVEhBVCBJUyBQ UklWSUxFR0VELCBQUk9QUklFVEFSWSwgQ09ORklERU5USUFMLCBBTkQvT1IgRVhFTVBUIEZST00g RElTQ0xPU1VSRSBVTkRFUiBBTlkgUkVMRVZBTlQgUFJJVkFDWSBMRUdJU0xBVElPTi4gTm8gcmln aHRzIHRvIGFueSBwcml2aWxlZ2UgaGF2ZSBiZWVuIHdhaXZlZC4gSWYgeW91IGFyZSBub3QgdGhl IGludGVuZGVkIHJlY2lwaWVudCwgeW91IGFyZSBoZXJlYnkgbm90aWZpZWQgdGhhdCBhbnkgcmV2 aWV3LCByZS10cmFuc21pc3Npb24sIGRpc3NlbWluYXRpb24sIGRpc3RyaWJ1dGlvbiwgY29weWlu ZywgY29udmVyc2lvbiB0byBoYXJkIGNvcHksIHRha2luZyBvZiBhY3Rpb24gaW4gcmVsaWFuY2Ug b24gb3Igb3RoZXIgdXNlIG9mIHRoaXMgY29tbXVuaWNhdGlvbiBpcyBzdHJpY3RseSBwcm9oaWJp dGVkLiBJZiB5b3UgYXJlIG5vdCB0aGUgaW50ZW5kZWQgcmVjaXBpZW50IGFuZCBoYXZlIHJlY2Vp dmVkIHRoaXMgbWVzc2FnZSBpbiBlcnJvciwgcGxlYXNlIG5vdGlmeSBtZSBieSByZXR1cm4gZS1t YWlsIGFuZCBkZWxldGUgb3IgZGVzdHJveSBhbGwgY29waWVzIG9mIHRoaXMgbWVzc2FnZS4NCg==

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

To: kerberos@mit.edu (kerberos@mit.edu)

I have used this as a guide, but I think MIT Kerberos version 1.10 is
the latest available:
https://www.cisecurity.org/benchmark/mit_kerberos

Not sure if this is what you are looking for or not.

<<CDC

On 2/14/2024 11:46 AM, Brent Kimberley via Kerberos wrote:

Preferably something smaller and more focused than nmap or OpenSCAP. 😉

From: Brent Kimberley
Sent: Wednesday, February 14, 2024 12:44 PM
To: kerberos@mit.edu
Subject: Protocol benchmarking / auditing inquiry

Hi.
Can anyone point me to some methods to benchmark and/or audit Kerberos v5?

For example, SSH:
Manual
Read the RFCs and specs.
Semi-automatic.
jtesta/ssh-audit: SSH server & client security auditing (banner, key exchange, encryption, mac, compression, compatibility, security, etc) (github.com)<https://github.com/jtesta/ssh-audit/>
Automatic
SSH Configuration Auditor (ssh-audit.com)<https://www.ssh-audit.com/>

TLS example upon request.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

To: kerberos@mit.edu (kerberos@mit.edu)

To the best of my knowledge" Krb5i provides integrity whereas Krb5p provides confidentiality, integrity, and replay protection.

"Walk tool" finding could map to a radar chart.

In other news, Matthew Palko plans to modernize authentication. https://techcommunity.microsoft.com/t5/windows-it-pro-blog/the-evolution-of-windows-authentication/ba-p/3926848


-----Original Message-----
From: Brent Kimberley
Sent: Wednesday, February 14, 2024 2:20 PM
To: Christopher D. Clausen <cclausen@acm.org>; kerberos@mit.edu
Subject: RE: Protocol benchmarking / auditing inquiry

Hi Christopher.

Yes. You are correct. Peer reviewed installation readiness documents like the CIS MIT benchmark are a good "first step."

I was asking pointers to the rest of the lifecycle suite - specifically "walk".

Crawl
=====
Installation readiness documents
e.g., CIS MIT Kerberos Benchmark

Walk
====
Focused applications.

Application which can connect to a client or a server and emit:
Enabled ciphers.
Enabled MACs.
Enabled Kerberos modes (krb5, krb5i, krb5p)
etc.

Background: most sites appear to be misconfigured.

Run
====
A focused service.


-----Original Message-----
From: Christopher D. Clausen <cclausen@acm.org>
Sent: Wednesday, February 14, 2024 2:10 PM
To: Brent Kimberley <Brent.Kimberley@Durham.ca>; kerberos@mit.edu
Subject: Re: Protocol benchmarking / auditing inquiry

[You don't often get email from cclausen@acm.org. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]

I have used this as a guide, but I think MIT Kerberos version 1.10 is the latest available:
https://www.cisecurity.org/benchmark/mit_kerberos

Not sure if this is what you are looking for or not.

<<CDC

On 2/14/2024 11:46 AM, Brent Kimberley via Kerberos wrote:

Preferably something smaller and more focused than nmap or OpenSCAP. 😉

From: Brent Kimberley
Sent: Wednesday, February 14, 2024 12:44 PM
To: kerberos@mit.edu
Subject: Protocol benchmarking / auditing inquiry

Hi.
Can anyone point me to some methods to benchmark and/or audit Kerberos v5?

For example, SSH:
Manual
Read the RFCs and specs.
Semi-automatic.
jtesta/ssh-audit: SSH server & client security auditing (banner, key exchange, encryption, mac, compression, compatibility, security, etc) (github.com)<https://github.com/jtesta/ssh-audit/>
Automatic
SSH Configuration Auditor (ssh-audit.com)<http://ht/ tps%3A%2F%2Fwww.ssh-audit.com%2F&data=05%7C02%7CBrent.Kimberley%40Durh am.ca%7C8eddde16708448e6cdb008dc2d907d49%7C52d7c9c2d54941b69b1f9da198d c3f16%7C0%7C0%7C638435345797172606%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4 wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&s data=ydwY2y5%2FxuZxJavbNQw877yOmuFuVo3DktJr%2FdFA05A%3D&reserved=0>

TLS example upon request.

THIS MESSAGE IS FOR THE USE OF THE INTENDED RECIPIENT(S) ONLY AND MAY CONTAIN INFORMATION THAT IS PRIVILEGED, PROPRIETARY, CONFIDENTIAL, AND/OR EXEMPT FROM DISCLOSURE UNDER ANY RELEVANT PRIVACY LEGISLATION. No rights to any privilege have been waived. If
you are not the intended recipient, you are hereby notified that any review, re-transmission, dissemination, distribution, copying, conversion to hard copy, taking of action in reliance on or other use of this communication is strictly prohibited. If you
are not the intended recipient and have received this message in error, please notify me by return e-mail and delete or destroy all copies of this message.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

To: kerberos@mit.edu (kerberos@mit.edu)

Hi Christopher.

Yes. You are correct. Peer reviewed installation readiness documents like the CIS MIT benchmark are a good "first step."

I was asking pointers to the rest of the lifecycle suite - specifically "walk".

Crawl
=====
Installation readiness documents
e.g., CIS MIT Kerberos Benchmark

Walk
====
Focused applications.

Application which can connect to a client or a server and emit:
Enabled ciphers.
Enabled MACs.
Enabled Kerberos modes (krb5, krb5i, krb5p)
etc.

Background: most sites appear to be misconfigured.

Run
====
A focused service.


-----Original Message-----
From: Christopher D. Clausen <cclausen@acm.org>
Sent: Wednesday, February 14, 2024 2:10 PM
To: Brent Kimberley <Brent.Kimberley@Durham.ca>; kerberos@mit.edu
Subject: Re: Protocol benchmarking / auditing inquiry

[You don't often get email from cclausen@acm.org. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]

I have used this as a guide, but I think MIT Kerberos version 1.10 is the latest available:
https://www.cisecurity.org/benchmark/mit_kerberos

Not sure if this is what you are looking for or not.

<<CDC

On 2/14/2024 11:46 AM, Brent Kimberley via Kerberos wrote:

Preferably something smaller and more focused than nmap or OpenSCAP. 😉

From: Brent Kimberley
Sent: Wednesday, February 14, 2024 12:44 PM
To: kerberos@mit.edu
Subject: Protocol benchmarking / auditing inquiry

Hi.
Can anyone point me to some methods to benchmark and/or audit Kerberos v5?

For example, SSH:
Manual
Read the RFCs and specs.
Semi-automatic.
jtesta/ssh-audit: SSH server & client security auditing (banner, key exchange, encryption, mac, compression, compatibility, security, etc) (github.com)<https://github.com/jtesta/ssh-audit/>
Automatic
SSH Configuration Auditor (ssh-audit.com)<http://ht/ tps%3A%2F%2Fwww.ssh-audit.com%2F&data=05%7C02%7CBrent.Kimberley%40Durh am.ca%7C8eddde16708448e6cdb008dc2d907d49%7C52d7c9c2d54941b69b1f9da198d c3f16%7C0%7C0%7C638435345797172606%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4 wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&s data=ydwY2y5%2FxuZxJavbNQw877yOmuFuVo3DktJr%2FdFA05A%3D&reserved=0>

TLS example upon request.

THIS MESSAGE IS FOR THE USE OF THE INTENDED RECIPIENT(S) ONLY AND MAY CONTAIN INFORMATION THAT IS PRIVILEGED, PROPRIETARY, CONFIDENTIAL, AND/OR EXEMPT FROM DISCLOSURE UNDER ANY RELEVANT PRIVACY LEGISLATION. No rights to any privilege have been waived. If
you are not the intended recipient, you are hereby notified that any review, re-transmission, dissemination, distribution, copying, conversion to hard copy, taking of action in reliance on or other use of this communication is strictly prohibited. If you
are not the intended recipient and have received this message in error, please notify me by return e-mail and delete or destroy all copies of this message.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

To: kerberos@mit.edu (kerberos@mit.edu)

Minor comment the CIS Benchmark appears to have been written from the system administrator's frame of reference - not the network frame of reference (FoR).
Typically, each frame of reference (FoR) needs to be audited. Hence the need for automation.

-----Original Message-----
From: Christopher D. Clausen <cclausen@acm.org>
Sent: Wednesday, February 14, 2024 2:10 PM
To: Brent Kimberley <Brent.Kimberley@Durham.ca>; kerberos@mit.edu
Subject: Re: Protocol benchmarking / auditing inquiry

[You don't often get email from cclausen@acm.org. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]

I have used this as a guide, but I think MIT Kerberos version 1.10 is the latest available:
https://www.cisecurity.org/benchmark/mit_kerberos

Not sure if this is what you are looking for or not.

<<CDC

On 2/14/2024 11:46 AM, Brent Kimberley via Kerberos wrote:

Preferably something smaller and more focused than nmap or OpenSCAP. 😉

From: Brent Kimberley
Sent: Wednesday, February 14, 2024 12:44 PM
To: kerberos@mit.edu
Subject: Protocol benchmarking / auditing inquiry

Hi.
Can anyone point me to some methods to benchmark and/or audit Kerberos v5?

For example, SSH:
Manual
Read the RFCs and specs.
Semi-automatic.
jtesta/ssh-audit: SSH server & client security auditing (banner, key exchange, encryption, mac, compression, compatibility, security, etc) (github.com)<https://github.com/jtesta/ssh-audit/>
Automatic
SSH Configuration Auditor (ssh-audit.com)<http://ht/ tps%3A%2F%2Fwww.ssh-audit.com%2F&data=05%7C02%7CBrent.Kimberley%40Durh am.ca%7C8eddde16708448e6cdb008dc2d907d49%7C52d7c9c2d54941b69b1f9da198d c3f16%7C0%7C0%7C638435345797172606%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4 wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&s data=ydwY2y5%2FxuZxJavbNQw877yOmuFuVo3DktJr%2FdFA05A%3D&reserved=0>

TLS example upon request.

THIS MESSAGE IS FOR THE USE OF THE INTENDED RECIPIENT(S) ONLY AND MAY CONTAIN INFORMATION THAT IS PRIVILEGED, PROPRIETARY, CONFIDENTIAL, AND/OR EXEMPT FROM DISCLOSURE UNDER ANY RELEVANT PRIVACY LEGISLATION. No rights to any privilege have been waived. If
you are not the intended recipient, you are hereby notified that any review, re-transmission, dissemination, distribution, copying, conversion to hard copy, taking of action in reliance on or other use of this communication is strictly prohibited. If you
are not the intended recipient and have received this message in error, please notify me by return e-mail and delete or destroy all copies of this message.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Minor comment the CIS Benchmark appears to have been written from the
system administrator's frame of reference - not the network frame of >reference (FoR). Typically, each frame of reference (FoR) needs to be >audited. Hence the need for automation.

I can only say this:

- I've been doing Kerberos for a few decades (but I'm certainly not the
person with the most Kerberos experience on this list).
- I've done a ton of security accreditation work at my $DAYJOB, which
also involves Kerberos. As part of the accrediation work we (and
others) do automated scanning that includes the Kerberos servers
and this seems to satisfy the powers that be. Some of the scanning
seems to detect Kerberos but I am unclear how much it actually checks
for other than "Kerberos is found".
- I've used the aforementioned CIS Benchmark.
- I really have no clue what you mean by "frame of reference" in this
context, and this corresponds to no security accreditation or auditing
requirements I have ever encountered so I cannot provide any
suggestions; I'm really unclear what you are asking for.

--Ken

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

To: kenh@cmf.nrl.navy.mil (kenh@cmf.nrl.navy.mil)

This approach is taught in first year engineering.

-----Original Message-----
From: Brent Kimberley
Sent: Thursday, February 15, 2024 12:10 PM
To: kerberos@mit.edu; kenh@cmf.nrl.navy.mil
Subject: RE: Protocol benchmarking / auditing inquiry

Ken.
The term Frame of Reference is a Cyber Physical system (CPS) term.

For those who work in the cyber subset, the term is "interface".

Regardless of what you call it.

You take the system diagram and evaluate using each major interface or Frame of Reference.

The STIG or CIS benchmark is just one of the interfaces evaluated.


-------------

Minor comment the CIS Benchmark appears to have been written from the
system administrator's frame of reference - not the network frame of >reference (FoR). Typically, each frame of reference (FoR) needs to be >audited. Hence the need for automation.

I can only say this:

- I've been doing Kerberos for a few decades (but I'm certainly not the
person with the most Kerberos experience on this list).
- I've done a ton of security accreditation work at my $DAYJOB, which
also involves Kerberos. As part of the accrediation work we (and
others) do automated scanning that includes the Kerberos servers
and this seems to satisfy the powers that be. Some of the scanning
seems to detect Kerberos but I am unclear how much it actually checks
for other than "Kerberos is found".
- I've used the aforementioned CIS Benchmark.
- I really have no clue what you mean by "frame of reference" in this
context, and this corresponds to no security accreditation or auditing
requirements I have ever encountered so I cannot provide any
suggestions; I'm really unclear what you are asking for.

--Ken

-----Original Message-----
From: Brent Kimberley
Sent: Wednesday, February 14, 2024 3:24 PM
To: Christopher D. Clausen <cclausen@acm.org>; kerberos@mit.edu
Subject: RE: Protocol benchmarking / auditing inquiry

Minor comment the CIS Benchmark appears to have been written from the system administrator's frame of reference - not the network frame of reference (FoR).
Typically, each frame of reference (FoR) needs to be audited. Hence the need for automation.

-----Original Message-----
From: Christopher D. Clausen <cclausen@acm.org>
Sent: Wednesday, February 14, 2024 2:10 PM
To: Brent Kimberley <Brent.Kimberley@Durham.ca>; kerberos@mit.edu
Subject: Re: Protocol benchmarking / auditing inquiry

[You don't often get email from cclausen@acm.org. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]

I have used this as a guide, but I think MIT Kerberos version 1.10 is the latest available:
https://www.cisecurity.org/benchmark/mit_kerberos

Not sure if this is what you are looking for or not.

<<CDC

On 2/14/2024 11:46 AM, Brent Kimberley via Kerberos wrote:

Preferably something smaller and more focused than nmap or OpenSCAP. 😉

From: Brent Kimberley
Sent: Wednesday, February 14, 2024 12:44 PM
To: kerberos@mit.edu
Subject: Protocol benchmarking / auditing inquiry

Hi.
Can anyone point me to some methods to benchmark and/or audit Kerberos v5?

For example, SSH:
Manual
Read the RFCs and specs.
Semi-automatic.
jtesta/ssh-audit: SSH server & client security auditing (banner, key exchange, encryption, mac, compression, compatibility, security, etc) (github.com)<https://github.com/jtesta/ssh-audit/>
Automatic
SSH Configuration Auditor (ssh-audit.com)<http://ht/ tps%3A%2F%2Fwww.ssh-audit.com%2F&data=05%7C02%7CBrent.Kimberley%40Durh am.ca%7C8eddde16708448e6cdb008dc2d907d49%7C52d7c9c2d54941b69b1f9da198d c3f16%7C0%7C0%7C638435345797172606%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4 wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&s data=ydwY2y5%2FxuZxJavbNQw877yOmuFuVo3DktJr%2FdFA05A%3D&reserved=0>

TLS example upon request.

THIS MESSAGE IS FOR THE USE OF THE INTENDED RECIPIENT(S) ONLY AND MAY CONTAIN INFORMATION THAT IS PRIVILEGED, PROPRIETARY, CONFIDENTIAL, AND/OR EXEMPT FROM DISCLOSURE UNDER ANY RELEVANT PRIVACY LEGISLATION. No rights to any privilege have been waived. If
you are not the intended recipient, you are hereby notified that any review, re-transmission, dissemination, distribution, copying, conversion to hard copy, taking of action in reliance on or other use of this communication is strictly prohibited. If you
are not the intended recipient and have received this message in error, please notify me by return e-mail and delete or destroy all copies of this message.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

To: kenh@cmf.nrl.navy.mil (kenh@cmf.nrl.navy.mil)

Ken.
The term Frame of Reference is a Cyber Physical system (CPS) term.

For those who work in the cyber subset, the term is "interface".

Regardless of what you call it.

You take the system diagram and evaluate using each major interface or Frame of Reference.

The STIG or CIS benchmark is just one of the interfaces evaluated.


-------------

Minor comment the CIS Benchmark appears to have been written from the
system administrator's frame of reference - not the network frame of >reference (FoR). Typically, each frame of reference (FoR) needs to be >audited. Hence the need for automation.

I can only say this:

- I've been doing Kerberos for a few decades (but I'm certainly not the
person with the most Kerberos experience on this list).
- I've done a ton of security accreditation work at my $DAYJOB, which
also involves Kerberos. As part of the accrediation work we (and
others) do automated scanning that includes the Kerberos servers
and this seems to satisfy the powers that be. Some of the scanning
seems to detect Kerberos but I am unclear how much it actually checks
for other than "Kerberos is found".
- I've used the aforementioned CIS Benchmark.
- I really have no clue what you mean by "frame of reference" in this
context, and this corresponds to no security accreditation or auditing
requirements I have ever encountered so I cannot provide any
suggestions; I'm really unclear what you are asking for.

--Ken

-----Original Message-----
From: Brent Kimberley
Sent: Wednesday, February 14, 2024 3:24 PM
To: Christopher D. Clausen <cclausen@acm.org>; kerberos@mit.edu
Subject: RE: Protocol benchmarking / auditing inquiry

Minor comment the CIS Benchmark appears to have been written from the system administrator's frame of reference - not the network frame of reference (FoR).
Typically, each frame of reference (FoR) needs to be audited. Hence the need for automation.

-----Original Message-----
From: Christopher D. Clausen <cclausen@acm.org>
Sent: Wednesday, February 14, 2024 2:10 PM
To: Brent Kimberley <Brent.Kimberley@Durham.ca>; kerberos@mit.edu
Subject: Re: Protocol benchmarking / auditing inquiry

[You don't often get email from cclausen@acm.org. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]

I have used this as a guide, but I think MIT Kerberos version 1.10 is the latest available:
https://www.cisecurity.org/benchmark/mit_kerberos

Not sure if this is what you are looking for or not.

<<CDC

On 2/14/2024 11:46 AM, Brent Kimberley via Kerberos wrote:

Preferably something smaller and more focused than nmap or OpenSCAP. 😉

From: Brent Kimberley
Sent: Wednesday, February 14, 2024 12:44 PM
To: kerberos@mit.edu
Subject: Protocol benchmarking / auditing inquiry

Hi.
Can anyone point me to some methods to benchmark and/or audit Kerberos v5?

For example, SSH:
Manual
Read the RFCs and specs.
Semi-automatic.
jtesta/ssh-audit: SSH server & client security auditing (banner, key exchange, encryption, mac, compression, compatibility, security, etc) (github.com)<https://github.com/jtesta/ssh-audit/>
Automatic
SSH Configuration Auditor (ssh-audit.com)<http://ht/ tps%3A%2F%2Fwww.ssh-audit.com%2F&data=05%7C02%7CBrent.Kimberley%40Durh am.ca%7C8eddde16708448e6cdb008dc2d907d49%7C52d7c9c2d54941b69b1f9da198d c3f16%7C0%7C0%7C638435345797172606%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4 wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&s data=ydwY2y5%2FxuZxJavbNQw877yOmuFuVo3DktJr%2FdFA05A%3D&reserved=0>

TLS example upon request.

THIS MESSAGE IS FOR THE USE OF THE INTENDED RECIPIENT(S) ONLY AND MAY CONTAIN INFORMATION THAT IS PRIVILEGED, PROPRIETARY, CONFIDENTIAL, AND/OR EXEMPT FROM DISCLOSURE UNDER ANY RELEVANT PRIVACY LEGISLATION. No rights to any privilege have been waived. If
you are not the intended recipient, you are hereby notified that any review, re-transmission, dissemination, distribution, copying, conversion to hard copy, taking of action in reliance on or other use of this communication is strictly prohibited. If you
are not the intended recipient and have received this message in error, please notify me by return e-mail and delete or destroy all copies of this message.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

This approach is taught in first year engineering.

Geez dude, no need to drag me; I'll be the first one to admit that I'm old
and don't know everything! Back in my day our curriculums didn't cover
any computer security topics at all.

But I stand by my original statements: I, personally, have not encountered those terms before and I've feel it's fair to say I've done a large amount
of accreditation and audit work and some of it involves Kerberos. And
even with your followup emails I'm still unclear what you are asking for.
Is this because I am old and don't know everything? Certainly! Maybe
it's like Zero Trust Security and I am already mostly doing it. Maybe
it's something we have never been asked to do, so I've never done it
(because in the accreditation world you don't seem to get extra credit
for doing stuff that the accreditors do not ask for).

--Ken

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

To: kenh@cmf.nrl.navy.mil (kenh@cmf.nrl.navy.mil)

At higher levels it falls under "Non Destructive testing".

-----Original Message-----
From: Brent Kimberley
Sent: Thursday, February 15, 2024 12:12 PM
To: 'kerberos@mit.edu' <kerberos@mit.edu>; 'kenh@cmf.nrl.navy.mil' <kenh@cmf.nrl.navy.mil>
Subject: RE: Protocol benchmarking / auditing inquiry

This approach is taught in first year engineering.

-----Original Message-----
From: Brent Kimberley
Sent: Thursday, February 15, 2024 12:10 PM
To: kerberos@mit.edu; kenh@cmf.nrl.navy.mil
Subject: RE: Protocol benchmarking / auditing inquiry

Ken.
The term Frame of Reference is a Cyber Physical system (CPS) term.

For those who work in the cyber subset, the term is "interface".

Regardless of what you call it.

You take the system diagram and evaluate using each major interface or Frame of Reference.

The STIG or CIS benchmark is just one of the interfaces evaluated.


-------------

Minor comment the CIS Benchmark appears to have been written from the
system administrator's frame of reference - not the network frame of >reference (FoR). Typically, each frame of reference (FoR) needs to be >audited. Hence the need for automation.

I can only say this:

- I've been doing Kerberos for a few decades (but I'm certainly not the
person with the most Kerberos experience on this list).
- I've done a ton of security accreditation work at my $DAYJOB, which
also involves Kerberos. As part of the accrediation work we (and
others) do automated scanning that includes the Kerberos servers
and this seems to satisfy the powers that be. Some of the scanning
seems to detect Kerberos but I am unclear how much it actually checks
for other than "Kerberos is found".
- I've used the aforementioned CIS Benchmark.
- I really have no clue what you mean by "frame of reference" in this
context, and this corresponds to no security accreditation or auditing
requirements I have ever encountered so I cannot provide any
suggestions; I'm really unclear what you are asking for.

--Ken

-----Original Message-----
From: Brent Kimberley
Sent: Wednesday, February 14, 2024 3:24 PM
To: Christopher D. Clausen <cclausen@acm.org>; kerberos@mit.edu
Subject: RE: Protocol benchmarking / auditing inquiry

Minor comment the CIS Benchmark appears to have been written from the system administrator's frame of reference - not the network frame of reference (FoR).
Typically, each frame of reference (FoR) needs to be audited. Hence the need for automation.

-----Original Message-----
From: Christopher D. Clausen <cclausen@acm.org>
Sent: Wednesday, February 14, 2024 2:10 PM
To: Brent Kimberley <Brent.Kimberley@Durham.ca>; kerberos@mit.edu
Subject: Re: Protocol benchmarking / auditing inquiry

[You don't often get email from cclausen@acm.org. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]

I have used this as a guide, but I think MIT Kerberos version 1.10 is the latest available:
https://www.cisecurity.org/benchmark/mit_kerberos

Not sure if this is what you are looking for or not.

<<CDC

On 2/14/2024 11:46 AM, Brent Kimberley via Kerberos wrote:

Preferably something smaller and more focused than nmap or OpenSCAP. 😉

From: Brent Kimberley
Sent: Wednesday, February 14, 2024 12:44 PM
To: kerberos@mit.edu
Subject: Protocol benchmarking / auditing inquiry

Hi.
Can anyone point me to some methods to benchmark and/or audit Kerberos v5?

For example, SSH:
Manual
Read the RFCs and specs.
Semi-automatic.
jtesta/ssh-audit: SSH server & client security auditing (banner, key exchange, encryption, mac, compression, compatibility, security, etc) (github.com)<https://github.com/jtesta/ssh-audit/>
Automatic
SSH Configuration Auditor (ssh-audit.com)<http://ht/ tps%3A%2F%2Fwww.ssh-audit.com%2F&data=05%7C02%7CBrent.Kimberley%40Durh am.ca%7C8eddde16708448e6cdb008dc2d907d49%7C52d7c9c2d54941b69b1f9da198d c3f16%7C0%7C0%7C638435345797172606%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4 wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&s data=ydwY2y5%2FxuZxJavbNQw877yOmuFuVo3DktJr%2FdFA05A%3D&reserved=0>

TLS example upon request.

THIS MESSAGE IS FOR THE USE OF THE INTENDED RECIPIENT(S) ONLY AND MAY CONTAIN INFORMATION THAT IS PRIVILEGED, PROPRIETARY, CONFIDENTIAL, AND/OR EXEMPT FROM DISCLOSURE UNDER ANY RELEVANT PRIVACY LEGISLATION. No rights to any privilege have been waived. If
you are not the intended recipient, you are hereby notified that any review, re-transmission, dissemination, distribution, copying, conversion to hard copy, taking of action in reliance on or other use of this communication is strictly prohibited. If you
are not the intended recipient and have received this message in error, please notify me by return e-mail and delete or destroy all copies of this message.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

To: kenh@cmf.nrl.navy.mil (kenh@cmf.nrl.navy.mil)

The purpose of non-destructive testing is to validate form/fit/function - across the entire operational mission/ asset lifecycle/ whatever - contrasted with the STIG/CIS benchmark which throws the real problems "over the wall" to Ken H.

Using the outputs, the lifecycle manager constructs their budget for operations + maintenance (OpEx) and replacement (CapEx).
Physical systems wear out. (Weibull)
Cyber systems fail spectacularly.
CPS systems wear out + fail spectacularly. (Power-law?)

Why is this relevant?

Back in the 1940s, too many planes were falling out of the sky. (Q. How many planes are too many?)
You call this philosophy a "surety system", "fly fix fly", "patch Tuesday", " FAA's approach to the Boeing 737 MAX" - whatever.
Regardless, by the 1950s, it was decided that action needed to be taken. The status quo was unacceptable. It was too expensive for operators.

The national safety council created something called the "Hierarchy of Controls." It was immensely successful. (Planes stopped falling out of the skies.)

You can call this approach "safety by design". This approach and it's benefits are very well documented and might even be applicable to Navy C4ISR.

To tie a bow on this thread:
How can we make Kerberos safe?


-----Original Message-----
From: Brent Kimberley
Sent: Thursday, February 15, 2024 12:19 PM
To: kerberos@mit.edu; kenh@cmf.nrl.navy.mil
Subject: RE: Protocol benchmarking / auditing inquiry

At higher levels it falls under "Non Destructive testing".

-----Original Message-----
From: Brent Kimberley
Sent: Thursday, February 15, 2024 12:12 PM
To: 'kerberos@mit.edu' <kerberos@mit.edu>; 'kenh@cmf.nrl.navy.mil' <kenh@cmf.nrl.navy.mil>
Subject: RE: Protocol benchmarking / auditing inquiry

This approach is taught in first year engineering.

-----Original Message-----
From: Brent Kimberley
Sent: Thursday, February 15, 2024 12:10 PM
To: kerberos@mit.edu; kenh@cmf.nrl.navy.mil
Subject: RE: Protocol benchmarking / auditing inquiry

Ken.
The term Frame of Reference is a Cyber Physical system (CPS) term.

For those who work in the cyber subset, the term is "interface".

Regardless of what you call it.

You take the system diagram and evaluate using each major interface or Frame of Reference.

The STIG or CIS benchmark is just one of the interfaces evaluated.


-------------

Minor comment the CIS Benchmark appears to have been written from the
system administrator's frame of reference - not the network frame of >reference (FoR). Typically, each frame of reference (FoR) needs to be >audited. Hence the need for automation.

I can only say this:

- I've been doing Kerberos for a few decades (but I'm certainly not the
person with the most Kerberos experience on this list).
- I've done a ton of security accreditation work at my $DAYJOB, which
also involves Kerberos. As part of the accrediation work we (and
others) do automated scanning that includes the Kerberos servers
and this seems to satisfy the powers that be. Some of the scanning
seems to detect Kerberos but I am unclear how much it actually checks
for other than "Kerberos is found".
- I've used the aforementioned CIS Benchmark.
- I really have no clue what you mean by "frame of reference" in this
context, and this corresponds to no security accreditation or auditing
requirements I have ever encountered so I cannot provide any
suggestions; I'm really unclear what you are asking for.

--Ken

-----Original Message-----
From: Brent Kimberley
Sent: Wednesday, February 14, 2024 3:24 PM
To: Christopher D. Clausen <cclausen@acm.org>; kerberos@mit.edu
Subject: RE: Protocol benchmarking / auditing inquiry

Minor comment the CIS Benchmark appears to have been written from the system administrator's frame of reference - not the network frame of reference (FoR).
Typically, each frame of reference (FoR) needs to be audited. Hence the need for automation.

-----Original Message-----
From: Christopher D. Clausen <cclausen@acm.org>
Sent: Wednesday, February 14, 2024 2:10 PM
To: Brent Kimberley <Brent.Kimberley@Durham.ca>; kerberos@mit.edu
Subject: Re: Protocol benchmarking / auditing inquiry

[You don't often get email from cclausen@acm.org. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]

I have used this as a guide, but I think MIT Kerberos version 1.10 is the latest available:
https://www.cisecurity.org/benchmark/mit_kerberos

Not sure if this is what you are looking for or not.

<<CDC

On 2/14/2024 11:46 AM, Brent Kimberley via Kerberos wrote:

Preferably something smaller and more focused than nmap or OpenSCAP. 😉

From: Brent Kimberley
Sent: Wednesday, February 14, 2024 12:44 PM
To: kerberos@mit.edu
Subject: Protocol benchmarking / auditing inquiry

Hi.
Can anyone point me to some methods to benchmark and/or audit Kerberos v5?

For example, SSH:
Manual
Read the RFCs and specs.
Semi-automatic.
jtesta/ssh-audit: SSH server & client security auditing (banner, key exchange, encryption, mac, compression, compatibility, security, etc) (github.com)<https://github.com/jtesta/ssh-audit/>
Automatic
SSH Configuration Auditor (ssh-audit.com)<http://ht/ tps%3A%2F%2Fwww.ssh-audit.com%2F&data=05%7C02%7CBrent.Kimberley%40Durh am.ca%7C8eddde16708448e6cdb008dc2d907d49%7C52d7c9c2d54941b69b1f9da198d c3f16%7C0%7C0%7C638435345797172606%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4 wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&s data=ydwY2y5%2FxuZxJavbNQw877yOmuFuVo3DktJr%2FdFA05A%3D&reserved=0>

TLS example upon request.

THIS MESSAGE IS FOR THE USE OF THE INTENDED RECIPIENT(S) ONLY AND MAY CONTAIN INFORMATION THAT IS PRIVILEGED, PROPRIETARY, CONFIDENTIAL, AND/OR EXEMPT FROM DISCLOSURE UNDER ANY RELEVANT PRIVACY LEGISLATION. No rights to any privilege have been waived. If
you are not the intended recipient, you are hereby notified that any review, re-transmission, dissemination, distribution, copying, conversion to hard copy, taking of action in reliance on or other use of this communication is strictly prohibited. If you
are not the intended recipient and have received this message in error, please notify me by return e-mail and delete or destroy all copies of this message.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Correction:
- Physical systems tend to wear out + fail spectacularly.
- Cyber systems tend to fail silently + inconveniently
- CPS systems tend to wear out + fail spectacularly + fail silently + inconveniently (case in point colonial pipeline)

The purpose of said tools is to evaluate & maintain asset health - over time. (PDCA)

-----Original Message-----
From: Brent Kimberley
Sent: Thursday, February 15, 2024 12:49 PM
To: kerberos@mit.edu; kenh@cmf.nrl.navy.mil
Subject: RE: Protocol benchmarking / auditing inquiry

The purpose of non-destructive testing is to validate form/fit/function - across the entire operational mission/ asset lifecycle/ whatever - contrasted with the STIG/CIS benchmark which throws the real problems "over the wall" to Ken H.

Using the outputs, the lifecycle manager constructs their budget for operations + maintenance (OpEx) and replacement (CapEx).
Physical systems wear out. (Weibull)
Cyber systems fail spectacularly.
CPS systems wear out + fail spectacularly. (Power-law?)

Why is this relevant?

Back in the 1940s, too many planes were falling out of the sky. (Q. How many planes are too many?) You call this philosophy a "surety system", "fly fix fly", "patch Tuesday", " FAA's approach to the Boeing 737 MAX" - whatever.
Regardless, by the 1950s, it was decided that action needed to be taken. The status quo was unacceptable. It was too expensive for operators.

The national safety council created something called the "Hierarchy of Controls." It was immensely successful. (Planes stopped falling out of the skies.)

You can call this approach "safety by design". This approach and it's benefits are very well documented and might even be applicable to Navy C4ISR.

To tie a bow on this thread:
How can we make Kerberos safe?


-----Original Message-----
From: Brent Kimberley
Sent: Thursday, February 15, 2024 12:19 PM
To: kerberos@mit.edu; kenh@cmf.nrl.navy.mil
Subject: RE: Protocol benchmarking / auditing inquiry

At higher levels it falls under "Non Destructive testing".

-----Original Message-----
From: Brent Kimberley
Sent: Thursday, February 15, 2024 12:12 PM
To: 'kerberos@mit.edu' <kerberos@mit.edu>; 'kenh@cmf.nrl.navy.mil' <kenh@cmf.nrl.navy.mil>
Subject: RE: Protocol benchmarking / auditing inquiry

This approach is taught in first year engineering.

-----Original Message-----
From: Brent Kimberley
Sent: Thursday, February 15, 2024 12:10 PM
To: kerberos@mit.edu; kenh@cmf.nrl.navy.mil
Subject: RE: Protocol benchmarking / auditing inquiry

Ken.
The term Frame of Reference is a Cyber Physical system (CPS) term.

For those who work in the cyber subset, the term is "interface".

Regardless of what you call it.

You take the system diagram and evaluate using each major interface or Frame of Reference.

The STIG or CIS benchmark is just one of the interfaces evaluated.


-------------

Minor comment the CIS Benchmark appears to have been written from the
system administrator's frame of reference - not the network frame of >reference (FoR). Typically, each frame of reference (FoR) needs to be >audited. Hence the need for automation.

I can only say this:

- I've been doing Kerberos for a few decades (but I'm certainly not the
person with the most Kerberos experience on this list).
- I've done a ton of security accreditation work at my $DAYJOB, which
also involves Kerberos. As part of the accrediation work we (and
others) do automated scanning that includes the Kerberos servers
and this seems to satisfy the powers that be. Some of the scanning
seems to detect Kerberos but I am unclear how much it actually checks
for other than "Kerberos is found".
- I've used the aforementioned CIS Benchmark.
- I really have no clue what you mean by "frame of reference" in this
context, and this corresponds to no security accreditation or auditing
requirements I have ever encountered so I cannot provide any
suggestions; I'm really unclear what you are asking for.

--Ken

-----Original Message-----
From: Brent Kimberley
Sent: Wednesday, February 14, 2024 3:24 PM
To: Christopher D. Clausen <cclausen@acm.org>; kerberos@mit.edu
Subject: RE: Protocol benchmarking / auditing inquiry

Minor comment the CIS Benchmark appears to have been written from the system administrator's frame of reference - not the network frame of reference (FoR).
Typically, each frame of reference (FoR) needs to be audited. Hence the need for automation.

-----Original Message-----
From: Christopher D. Clausen <cclausen@acm.org>
Sent: Wednesday, February 14, 2024 2:10 PM
To: Brent Kimberley <Brent.Kimberley@Durham.ca>; kerberos@mit.edu
Subject: Re: Protocol benchmarking / auditing inquiry

[You don't often get email from cclausen@acm.org. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]

I have used this as a guide, but I think MIT Kerberos version 1.10 is the latest available:
https://www.cisecurity.org/benchmark/mit_kerberos

Not sure if this is what you are looking for or not.

<<CDC

On 2/14/2024 11:46 AM, Brent Kimberley via Kerberos wrote:

Preferably something smaller and more focused than nmap or OpenSCAP. 😉

From: Brent Kimberley
Sent: Wednesday, February 14, 2024 12:44 PM
To: kerberos@mit.edu
Subject: Protocol benchmarking / auditing inquiry

Hi.
Can anyone point me to some methods to benchmark and/or audit Kerberos v5?

For example, SSH:
Manual
Read the RFCs and specs.
Semi-automatic.
jtesta/ssh-audit: SSH server & client security auditing (banner, key exchange, encryption, mac, compression, compatibility, security, etc) (github.com)<https://github.com/jtesta/ssh-audit/>
Automatic
SSH Configuration Auditor (ssh-audit.com)<http://ht/ tps%3A%2F%2Fwww.ssh-audit.com%2F&data=05%7C02%7CBrent.Kimberley%40Durh am.ca%7C8eddde16708448e6cdb008dc2d907d49%7C52d7c9c2d54941b69b1f9da198d c3f16%7C0%7C0%7C638435345797172606%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4 wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&s data=ydwY2y5%2FxuZxJavbNQw877yOmuFuVo3DktJr%2FdFA05A%3D&reserved=0>

TLS example upon request.

THIS MESSAGE IS FOR THE USE OF THE INTENDED RECIPIENT(S) ONLY AND MAY CONTAIN INFORMATION THAT IS PRIVILEGED, PROPRIETARY, CONFIDENTIAL, AND/OR EXEMPT FROM DISCLOSURE UNDER ANY RELEVANT PRIVACY LEGISLATION. No rights to any privilege have been waived. If
you are not the intended recipient, you are hereby notified that any review, re-transmission, dissemination, distribution, copying, conversion to hard copy, taking of action in reliance on or other use of this communication is strictly prohibited. If you
are not the intended recipient and have received this message in error, please notify me by return e-mail and delete or destroy all copies of this message.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Ehlo.

On Wed, Feb 14, 2024 at 05:43:47PM +0000, Brent Kimberley via Kerberos wrote:

Can anyone point me to some methods to benchmark and/or audit Kerberos v5?

A short while ago I submitted a PR[1] for the Lynis project that does
something like that. I also started documenting some of my own Kerberos hardening stuff here[2].

Disclaimer: I'm quite new to Kerberos, so I might be off with some of
the hardenings, so all additional pointers/corrections are more than
welcome.

[1] https://github.com/CISOfy/lynis/pull/1456
[2] https://github.com/pyllyukko/harden.yml/wiki/Kerberos_hardening_and_maintenance

--
pyllyukko
email: <pyllyukko@maimed.org>
PGP: https://keybase.io/pyllyukko
twitter: https://twitter.com/pyllyukko

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)