Kerberos n00b question.

Russ Allbery eagle at eyrie.org
Tue Jan 8 20:22:22 EST 2019


Robbie Harwood <rharwood at redhat.com> writes:

> Also!  2FA will mitigate this concern somewhat as well.  krb5 is
> prepared to hand off to a RADIUS responder for OTP (freeIPA uses this,
> which I know you're not interested in but is meaningful as a PoC); you
> can then use something like freeOTP or a physical 2fa token for
> acquiring additional credentials.

I wonder how hard it would be to add WebAuthn as a preauth mechanism for
Kerberos as part of a FAST chain.  HOTP/TOTP don't have the greatest
security properties, even though most Kerberos use cases are inherently
less vulnerable to phishing than the typical web authentication use.

> Apologies.  I consider Kerberos (with preauth and strong passwords) safe
> for internet use, as I imagine the rest of us on here do as well.

Internet use is very common in the Kerberos community.  It is somewhat
vulnerable to weak user passwords, but I'd probably invest my effort in
FAST via anonymous PKINIT to solve that problem instead of network
tunnels.

-- 
Russ Allbery (eagle at eyrie.org)              <http://www.eyrie.org/~eagle/>


More information about the Kerberos mailing list