[16661] in Kerberos_V5_Development
Writing FAST preauth plugin
daemon@ATHENA.MIT.EDU (Yair Yarom)
Tue Mar 1 12:31:11 2011
From: Yair Yarom <irush@cs.huji.ac.il>
To: krbdev@mit.edu
Date: Tue, 01 Mar 2011 19:31:04 +0200
Message-ID: <x8qhbbmd9yf.fsf@mantis.cs.huji.ac.il>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
Hi all,
I was wondering what's the current status of FAST implementation in
kerberos (1.9). According to
http://k5wiki.kerberos.org/wiki/Developing_a_preauth_plugin: "...is
largely unimplemented from a practical usage perspective at this
point". It seems to me that it's not accurate, but I want to be sure.
Is the FAST tunneling automatically/transparently used when using
"kinit -T cache user" (after e.g. "kinit -n -c cache")? or do I need to
make some other checks or operations besides verifying that the tunnel
exists using fast_get_armor_key (wireshark suggests it is...)
If so, are there any other security considerations besides the men in
the middle? e.g. is it safe to send a key in the pa_data without direct
encryption beside the tunnel.
Are there any publicly available preauth FAST plugins besides the
encrypted challenge?
Thanks,
Yair.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
