Kerberos n00b question.

Russ Allbery eagle at eyrie.org
Tue Jan 8 22:35:19 EST 2019 

Grant Taylor <gtaylor at tnetconsulting.net> writes:
> On 1/8/19 6:22 PM, Russ Allbery wrote:

>> Internet use is very common in the Kerberos community.

> Does this include client <-> KDC?

Yes.  A lot of higher education institutions that have used Kerberos for
many, many years have their KDCs directly on the Internet and allow
clients to authenticate from anywhere.

> My cursory reading makes me think that FAST is what provides the
> security (by encrypting more things through the Fast and Secure Tunnel)
> using parameters derived via PKINIT.

PKINIT is just a replacement preauth mechanism, instead of enc-timestamp.
Basically, the client uses an X.509 authentication instead of a proof of
key possession as the preauthentication step to establish a shared session
secret that is used to encrypt the TGT.  (This may not be 100% accurate;
it's been a while since I dug into the protocol.)

FAST is a replacement for the whole preauth step.  It uses some
pre-existing shared session key between the KDC and the client to encrypt
the whole preauthentication exchange.  Inside of that, you can use various
preauthentication mechanisms.

Where they usefully combine is in how to get that pre-existing shared
session key to be able to start using FAST.  This is a chicken-and-egg
problem with traditional Kerberos: you have to authenticate first in order
to authenticate.  You can, for instance, use the local host key (which is
probably randomly generated and therefore safer to use in a direct
exchange with the KDC) to get a session key to start FAST, and then do
preauthentication with the (weaker) password-derived key.

Anonymous PKINIT lets you out of that trap by letting the client
"authenticate" with anonymous Diffie-Hellman to the KDC.  This doesn't
establish any meaningful identity, but it *does* get you a shared session
key, and with that you can start FAST, and use it to protect any
subsequent preauthentication exchange.

Note that you can enable anonymous PKINIT even if you don't otherwise use
PKINIT and don't have any client certificates.  (You ideally do have a KDC
certificate, though, that the clients know about.)

-- 
Russ Allbery (eagle at eyrie.org)              <http://www.eyrie.org/~eagle/>

More information about the Kerberos mailing list