Writing FAST preauth plugin
Yair Yarom
irush at cs.huji.ac.il
Tue Mar 1 12:31:04 EST 2011
Hi all,
I was wondering what's the current status of FAST implementation in
kerberos (1.9). According to
http://k5wiki.kerberos.org/wiki/Developing_a_preauth_plugin: "...is
largely unimplemented from a practical usage perspective at this
point". It seems to me that it's not accurate, but I want to be sure.
Is the FAST tunneling automatically/transparently used when using
"kinit -T cache user" (after e.g. "kinit -n -c cache")? or do I need to
make some other checks or operations besides verifying that the tunnel
exists using fast_get_armor_key (wireshark suggests it is...)
If so, are there any other security considerations besides the men in
the middle? e.g. is it safe to send a key in the pa_data without direct
encryption beside the tunnel.
Are there any publicly available preauth FAST plugins besides the
encrypted challenge?
Thanks,
Yair.
More information about the krbdev
mailing list