Writing FAST preauth plugin

Yair Yarom irush at cs.huji.ac.il
Tue Mar 1 12:31:04 EST 2011

Hi all,

I was wondering what's the current status of FAST implementation in
kerberos (1.9). According to
http://k5wiki.kerberos.org/wiki/Developing_a_preauth_plugin: "...is
largely unimplemented from a practical usage perspective at this
point". It seems to me that it's not accurate, but I want to be sure.

Is the FAST tunneling automatically/transparently used when using 
"kinit -T cache user" (after e.g. "kinit -n -c cache")? or do I need to
make some other checks or operations besides verifying that the tunnel
exists using fast_get_armor_key (wireshark suggests it is...)

If so, are there any other security considerations besides the men in
the middle? e.g. is it safe to send a key in the pa_data without direct
encryption beside the tunnel.

Are there any publicly available preauth FAST plugins besides the
encrypted challenge?


More information about the krbdev mailing list