[38439] in Kerberos
Re: Kerberos n00b question.
daemon@ATHENA.MIT.EDU (Robbie Harwood)
Thu Jan 10 14:09:54 2019
From: Robbie Harwood <rharwood@redhat.com>
To: Russ Allbery <eagle@eyrie.org>, <kerberos@mit.edu>
In-Reply-To: <87o98qaalt.fsf@hope.eyrie.org>
Date: Thu, 10 Jan 2019 14:09:37 -0500
Message-ID: <jlgimywcosu.fsf@redhat.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1369809250700345232=="
Errors-To: kerberos-bounces@mit.edu
--===============1369809250700345232==
Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512;
protocol="application/pgp-signature"
--=-=-=
Content-Type: text/plain
Russ Allbery <eagle@eyrie.org> writes:
> Robbie Harwood <rharwood@redhat.com> writes:
>
>> Also! 2FA will mitigate this concern somewhat as well. krb5 is
>> prepared to hand off to a RADIUS responder for OTP (freeIPA uses
>> this, which I know you're not interested in but is meaningful as a
>> PoC); you can then use something like freeOTP or a physical 2fa token
>> for acquiring additional credentials.
>
> I wonder how hard it would be to add WebAuthn as a preauth mechanism
> for Kerberos as part of a FAST chain. HOTP/TOTP don't have the
> greatest security properties, even though most Kerberos use cases are
> inherently less vulnerable to phishing than the typical web
> authentication use.
Probably not too bad, but there are some tricky points around RPs and
the like. There's work underway (blocked on me actually) to add
U2F/FIDO2 as a 2FA mech under SPAKE, though ideally we'd have the SPAKE
draft closer to release before unloading that on the world.
Thanks,
--Robbie
--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEA5qc6hnelQjDaHWqJTL5F2qVpEIFAlw3mHEACgkQJTL5F2qV
pELDZQ//WojZjjTN2OqZl8IaPuHzpRRzN4yW1ssYibjF4Ol0Cykfwtc9/tH8uPy0
txYSFOz8L9twaEOgldchch3iE7h365maB+AY9Ba0ubJuXu++JgJcNxWpxGGvPTwT
8+q03ireakxdMaqMBzYuy1NBK+KR3gMBcFD1RCV/MjTBJSCIrAXSwkHlB99hwDpw
DTaESte1mtCyA9XFRdwXLknSz8AABOIOgf1pd180X+3S/HaNnM4h4LhWunTwaO5i
2Phl/JMYN/bhQkOuHW1618CyFrTWwkywIsJPwiFQpP8tXf80opj+agu3yiLaQ750
yMPPxoXr84DgDiDIaq0IsfVbGyK5wz3yhrgOkvR4K6nnzBAzPyGHB1J/7RURiI3/
S0bCUPpkxHuXNNCOonbdxy19Wupd+zG7q7+FgD3vYUp37V2gbNOfUp6OyQgKRkLH
JT91grBQl/NeuM3HVyl14VvSbgUwV8wavNNC609FZU8QED+Hfer7pCmeACs49b7E
142wkeawgeXbzY3PW2iErAcz7trqPFxutOSUeYjEoo49y8qNBuNIBtw55+U6gHhe
/ccXy8ymxbuwRpu/Gnn9ROIV7xOFSS3qroSyur0JkhJtozk2c45ygsoeQZSHH6KT
LNgKCAXuqZEhRGXy2mE5Hk9nARYTZwgm5/VxLBiigxaw9djIfQM=
=9i7i
-----END PGP SIGNATURE-----
--=-=-=--
--===============1369809250700345232==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--===============1369809250700345232==--
