Kerberos n00b question.

Robbie Harwood rharwood at redhat.com
Thu Jan 10 14:09:37 EST 2019


Russ Allbery <eagle at eyrie.org> writes:

> Robbie Harwood <rharwood at redhat.com> writes:
>
>> Also!  2FA will mitigate this concern somewhat as well.  krb5 is
>> prepared to hand off to a RADIUS responder for OTP (freeIPA uses
>> this, which I know you're not interested in but is meaningful as a
>> PoC); you can then use something like freeOTP or a physical 2fa token
>> for acquiring additional credentials.
>
> I wonder how hard it would be to add WebAuthn as a preauth mechanism
> for Kerberos as part of a FAST chain.  HOTP/TOTP don't have the
> greatest security properties, even though most Kerberos use cases are
> inherently less vulnerable to phishing than the typical web
> authentication use.

Probably not too bad, but there are some tricky points around RPs and
the like.  There's work underway (blocked on me actually) to add
U2F/FIDO2 as a 2FA mech under SPAKE, though ideally we'd have the SPAKE
draft closer to release before unloading that on the world.

Thanks,
--Robbie
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20190110/5168d355/attachment.bin


More information about the Kerberos mailing list