Alexander Bokovoy

@abbra
161 Followers
73 Following
368 Posts
Samba, FreeIPA, SSSD, and a lot of other topics people remember when office infrastructure doesn't work.
Alexander Bokovoy3d ago
First draft for post-quantum PKINIT exchange is published. I struggled with the datatracker and still need to figure out how to get it to the right stream: https://www.ietf.org/archive/id/draft-bokovoy-kitten-pkinit-pqc-00.html
Post-quantum Key Encapsulation with ML-KEM in Public Key Cryptography for Initial Authentication in Kerberos (PKINIT)

This document specifies extensions to the Kerberos PKINIT pre-authentication mechanism to support post-quantum key establishment using the Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM) algorithms defined in . The extensions define a new kemInfo arm in PA-PK-AS-REP , a KDCKEMInfo structure signed by the KDC, HKDF-based AS reply key derivation (HKDF-SHA-512 for ML-KEM), downgrade-prevention rules, and a PAChecksum2 extension providing checksum algorithm agility in PKAuthenticator . The KEM path framework supports multiple KEM algorithms including ML-KEM, composite ML-KEM algorithms, and future KEM standards.

Show threadAlexander BokovoyMay 16
@hyc the archives were available until recently...
Show threadAlexander BokovoyMay 16
@hyc IIRC, there were two problems: spammers flooded community mailing lists to the point that it was almost impossible to handle that and the second issue was migration of the Red Hat's malining lists off mailman to other platform. We ended up migrating mailing lists to Fedora's mailman. To date, freeipa-users@ is in top three most active mailing lists in Fedora community. Loss of original archives was a sad history.
Alexander BokovoyApr 15

RE: https://mastodon.social/@cryptomilk/116410062650792574

More about it next Monday at #SambaXP

Alexander BokovoyApr 4
kurbu5:
https://vda.li/en/posts/2026/04/04/kurbu5/
kurbu5: MIT Kerberos plugins in Rust

For a couple of years, Andreas Schneider and I have been working on a project we call the ‘local authentication hub’: an effort to use the Kerberos protocol ...

Alexander BokovoyMar 23
Andreas SchneiderMar 23

I'm happy to annouce kirmes version 0.1.0 providing an async C API now!

Kirmes is a Rust and C implementation of the IPC protocol for the systemd userdb Varlink interface. kirmes provides a safe, async Rust API talking to systemd's userdb. In addition it provides blocking and async C APIs to communicate over Varlink or just parse JSON records for users and groups.

https://crates.io/crates/kirmes

Example: https://gitlab.com/kirmes/kirmes/-/blob/main/example/async_user_record.c

#systemd #varlink #linux

crates.io: Rust Package Registry

crates.io serves as a central registry for sharing crates, which are packages or libraries written in Rust that you can use to enhance your projects

Alexander BokovoyMar 23
A bit of detour I took in past two months was into the worlds that typically aren't combined: ASN.1 and AI. Anyway, weird results require weird numbers:
https://vda.li/en/posts/2026/03/23/synta/
ASN.1 for legacy apps: Synta

Pretty much everything I deal with requires parsing ASN.1 encodings. ASN.1 definitions published as part of internet RFCs: certificates are encoded using DER...

Show threadAlexander BokovoyMar 10

Demo 2: login with SSH key, use Kerberos ticket for access of FreeIPA management interface. Lifetime was set to 2 minutes to help my slow and errorneous typing.

https://youtu.be/Bx7_ZJskofo

ipa openssh s4u demo 2

YouTube
Show threadAlexander BokovoyMar 10

COPR repo for Fedora 43-45: dnf copr enable dbelyavs/openssh-gss-s4u

Demo 1: login with SSH key, use Kerberos ticket for sudo authentication. Lifetime set to 1 minute to help with the demo.

https://youtu.be/hlxFCs_RIRE

ipa openssh s4u demo

YouTube
Alexander BokovoyMar 10
Got some progress with protocol transition in #OpenSSH: if you login with any authentication mechanism that does not lead to creation of #Kerberos tickets, now you can configure your server to generate one on the user's behalf. This uses Services For User (S4U) extensions available in Active Directory and #FreeIPA implementations. There are few issues we still trying to address (and bugs found during this development) but it looks promising.

Couple demos in the next toots: