[kitten] Token Preauth for Kerberos
Nathaniel McCallum
npmccallum at redhat.com
Wed Jun 11 10:52:04 EDT 2014
On Wed, 2014-06-11 at 08:15 +0000, Zheng, Kai wrote:
> Hi Greg,
>
> Thanks for your valuable feedback and suggestions!
>
> 1. Yes you're right I'm taking the OTP approach and use the FAST armor key as the reply key. As mentioned in the proposal we suggest PKINIT be deployed along with this mechanism,
> And client uses PKINIT anonymous to obtain the armor ticket. It doesn't provide mutual authentication since only KDC is authenticated to client with the configured certificate of KDC and
> client doesn't due to lacking of certificate as to avoid the deployment overhead in our solution. So protecting the token here in AS-REQ exchange mainly depends on the FAST tunnel and
> client should be careful about the armor ticket.
You may be interested in this proposal:
http://mailman.mit.edu/pipermail/krbdev/2014-May/011958.html
Nathaniel
More information about the krbdev
mailing list