Kerberos n00b question.
Grant Taylor
gtaylor at tnetconsulting.net
Tue Jan 8 22:26:10 EST 2019
On 1/8/19 6:22 PM, Russ Allbery wrote:
> I wonder how hard it would be to add WebAuthn as a preauth mechanism
> for Kerberos as part of a FAST chain. HOTP/TOTP don't have the greatest
> security properties, even though most Kerberos use cases are inherently
> less vulnerable to phishing than the typical web authentication use.
I have no idea. It sounds interesting though.
> Internet use is very common in the Kerberos community.
Does this include client <-> KDC?
> It is somewhat vulnerable to weak user passwords, but I'd probably invest
> my effort in FAST via anonymous PKINIT to solve that problem instead of
> network tunnels.
Ya. I like bolstering Kerberos's security via FAST w/ PKINIT more than
the tunnels. Tunnels just introduce another complexity ~> failure
point. (Even IPSec Transport Mode.)
My cursory reading makes me think that FAST is what provides the
security (by encrypting more things through the Fast and Secure Tunnel)
using parameters derived via PKINIT.
--
Grant. . . .
unix || die
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4008 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20190108/bc35a34d/attachment.bin
More information about the Kerberos
mailing list