Automatic FAST via Anonymous PKINIT
Nico Williams
nico at cryptonector.com
Mon Jun 2 15:52:24 EDT 2014
On Mon, Jun 2, 2014 at 2:26 PM, Nathaniel McCallum
<npmccallum at redhat.com> wrote:
> Even if we use FAST to encrypt all traffic, the temporary anonymous
> ticket will only be used for ASReq requests. #4 provides no benefit to
> "FAST all the time" apart from ASReqs. The only case where it does make
> sense is in a login system. And the login system should (generally) be a
> Kerberos service in its own right. This is precisely how SSSD works. No
> anonymous ticket is needed because the service has its own ticket which
> is managed in the SSSD ticket ccache.
Mobile devices might not be keyed, or if they are they might not have
stable hostnames (so don't insist on host-based client credentials for
them, or on their matching the client's IP address).
I agree that a per-session/user FAST armor ticket for protecting AS
_and_ TGS requests would be nice. Greg's #4 is not incompatible with
that: a PAM / whatever can make sure to obtain such a ticket for the
user, and if none is available, then kinit/krb5_get_init_creds*() can
do it (though in the last case it'd be an anon PKINIT ticket).
Nico
--
More information about the krbdev
mailing list