On ma, 21 marras 2016, Florian Weimer wrote:
On 11/21/2016 01:31 PM, Stephen Gallagher wrote:
Thanks for your explanation.
So yes, we have protection against that. FreeIPA (which is backing this
solution) requires preauthentication for all user accounts.
“That” meaning offline attacks without intercepted packets. With
intercepted packets, offline attacks are still feasible, right?
Right -- if you get initial exchange in the traditional Kerberos 5.
We have been working for several years already to reduce these
possibilities via different means:
- enablement for HTTPS-based tunnel for Kerberos flows based on
MS-KKDCP specification;
- DNS-based announcement of Kerberos MS-KKDCP proxy using DNS URI;
- SPAKE exchange support in MIT Kerberos (slated for 1.15-1.16)
Fedora infrastructure uses MS-KKDCP proxy with Fedora certificate to
tunnel Kerberos 5 traffic. If you have recent Fedora, you'll get it used
automatically with the help of DNS URI. For older clients which don't
support DNS-based discovery you can configure MS-KKDCP proxy access
manually by stating 'kdc=https://id.fedoraproject.org/KdcProxy' for
FEDORAPROJECT.ORG realm. For very old clients that don't support
MS-KKDCP (RHEL 6, for example), you are back to use naked Kerberos 5
traffic.
Our effort is to get to SPAKE sooner than later.
--
/ Alexander Bokovoy
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
