pam-krb5 4.5 released

Greg Hudson ghudson at MIT.EDU
Fri Feb 10 16:53:30 EST 2012


On 02/10/2012 04:42 PM, Stephen Frost wrote:
> Ok, thanks.  Is the user's long-term key of any value if FAST is
> in place?  By that I mean- could I just make it 'password' or
> similar without any security risk..?

I can think of several things to worry about with that:

1. The KDC doesn't currently have a knob to enforce the use of FAST.
So it's possible that a legitimate user could authenticate with SAM2
and not FAST.  An attacker observing such an authentication could
easily decrypt the reply.  (A FAST OTP implementation would not have
this problem because it won't operate without FAST.)

2. You'd need to make sure to set the requires_hwauth flag on each
principal set up this way, or anyone could authenticate using
encrypted timestamp and the weak password.

3. If your SecurID deployment doesn't use PINs and uses short token
values, using only the one factor to authenticate might make it
relatively little work for an attacker to guess a valid user/OTP
combination and get tickets.


More information about the Kerberos mailing list