Mastodawn

First draft for post-quantum PKINIT exchange is published. I struggled with the datatracker and still need to figure out how to get it to the right stream: https://www.ietf.org/archive/id/draft-bokovoy-kitten-pkinit-pqc-00.html

Post-quantum Key Encapsulation with ML-KEM in Public Key Cryptography for Initial Authentication in Kerberos (PKINIT)

This document specifies extensions to the Kerberos PKINIT pre-authentication mechanism to support post-quantum key establishment using the Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM) algorithms defined in . The extensions define a new kemInfo arm in PA-PK-AS-REP , a KDCKEMInfo structure signed by the KDC, HKDF-based AS reply key derivation (HKDF-SHA-512 for ML-KEM), downgrade-prevention rules, and a PAChecksum2 extension providing checksum algorithm agility in PKAuthenticator . The KEM path framework supports multiple KEM algorithms including ML-KEM, composite ML-KEM algorithms, and future KEM standards.

Alexander Bokovoy Apr 15

RE: https://mastodon.social/@cryptomilk/116410062650792574

More about it next Monday at #SambaXP

Alexander Bokovoy Apr 4

kurbu5:
https://vda.li/en/posts/2026/04/04/kurbu5/

kurbu5: MIT Kerberos plugins in Rust

For a couple of years, Andreas Schneider and I have been working on a project we call the ‘local authentication hub’: an effort to use the Kerberos protocol ...

Alexander Bokovoy Mar 23

Andreas Schneider Mar 23

I'm happy to annouce kirmes version 0.1.0 providing an async C API now!

Kirmes is a Rust and C implementation of the IPC protocol for the systemd userdb Varlink interface. kirmes provides a safe, async Rust API talking to systemd's userdb. In addition it provides blocking and async C APIs to communicate over Varlink or just parse JSON records for users and groups.

https://crates.io/crates/kirmes

Example: https://gitlab.com/kirmes/kirmes/-/blob/main/example/async_user_record.c

#systemd #varlink #linux

crates.io: Rust Package Registry

crates.io serves as a central registry for sharing crates, which are packages or libraries written in Rust that you can use to enhance your projects

Alexander Bokovoy Mar 23

A bit of detour I took in past two months was into the worlds that typically aren't combined: ASN.1 and AI. Anyway, weird results require weird numbers:
https://vda.li/en/posts/2026/03/23/synta/

ASN.1 for legacy apps: Synta

Pretty much everything I deal with requires parsing ASN.1 encodings. ASN.1 definitions published as part of internet RFCs: certificates are encoded using DER...

Show thread

Alexander Bokovoy Mar 10

Demo 2: login with SSH key, use Kerberos ticket for access of FreeIPA management interface. Lifetime was set to 2 minutes to help my slow and errorneous typing.

https://youtu.be/Bx7_ZJskofo

ipa openssh s4u demo 2

YouTube

Show thread

Alexander Bokovoy Mar 10

COPR repo for Fedora 43-45: dnf copr enable dbelyavs/openssh-gss-s4u

Demo 1: login with SSH key, use Kerberos ticket for sudo authentication. Lifetime set to 1 minute to help with the demo.

https://youtu.be/hlxFCs_RIRE

ipa openssh s4u demo

YouTube

Alexander Bokovoy Mar 10

Got some progress with protocol transition in #OpenSSH: if you login with any authentication mechanism that does not lead to creation of #Kerberos tickets, now you can configure your server to generate one on the user's behalf. This uses Services For User (S4U) extensions available in Active Directory and #FreeIPA implementations. There are few issues we still trying to address (and bugs found during this development) but it looks promising.

Couple demos in the next toots:

Alexander Bokovoy Feb 1

Identity and Access Management devroom #iam at #FOSDEM started with the full room already. We are also tracking air quality in the room and try to ventilate regularly. Thanks to https://fosdem26-air.autkin.net/ project for that!

FOSDEM'26 Air quality monitoring | FOSDEM'26 Air quality monitoring

FOSDEM'26 Air quality monitoring | FOSDEM'26 Air quality monitoring | |

Alexander Bokovoy Jan 31

#FreeIPA at #FOSDEM :)