responding to BlastRadius
Sam Hartman
hartmans at debian.org
Tue Jul 9 16:36:54 EDT 2024
So, I'e always been uncomfortable with the decision to have a KDC
talking to a RADIUS server.
But it looks like another round of attention is being focused on RADIUS
vulnerabilities: https://www.blastradius.fail/
I tend to agree with the title of the paper: RADIUS over UDP considered
harmful.
I've always been confused why Kerberos started its journey into RADIUS
land with a library that did not support TLS.
I guess the argument was that the proprietary RADIUS servers for some
OTP applications didn't support anything better.
And perhaps that's still true.
So perhaps there's nothing we can do.
But it at least seems like a good time to revisit the use of RADIUS and
ask ourselves whether there are changes or recommendations we should be
making.
--Sam
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://mailman.mit.edu/pipermail/krbdev/attachments/20240709/0cb98cc7/attachment.sig>
More information about the krbdev
mailing list