[20496] in Kerberos_V5_Development
responding to BlastRadius
daemon@ATHENA.MIT.EDU (Sam Hartman)
Tue Jul 9 16:36:51 2024
From: Sam Hartman <hartmans@debian.org>
To: krbdev@mit.edu
Date: Tue, 09 Jul 2024 14:36:54 -0600
Message-ID: <tslwmlu480p.fsf@suchdamage.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============6784401759548404181=="
Errors-To: krbdev-bounces@mit.edu
--===============6784401759548404181==
Content-Type: multipart/signed; boundary="=-=-=";
micalg=pgp-sha256; protocol="application/pgp-signature"
--=-=-=
Content-Type: text/plain
So, I'e always been uncomfortable with the decision to have a KDC
talking to a RADIUS server.
But it looks like another round of attention is being focused on RADIUS
vulnerabilities: https://www.blastradius.fail/
I tend to agree with the title of the paper: RADIUS over UDP considered
harmful.
I've always been confused why Kerberos started its journey into RADIUS
land with a library that did not support TLS.
I guess the argument was that the proprietary RADIUS servers for some
OTP applications didn't support anything better.
And perhaps that's still true.
So perhaps there's nothing we can do.
But it at least seems like a good time to revisit the use of RADIUS and
ask ourselves whether there are changes or recommendations we should be
making.
--Sam
--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"
-----BEGIN PGP SIGNATURE-----
iHUEARYIAB0WIQSj2jRwbAdKzGY/4uAsbEw8qDeGdAUCZo2fZgAKCRAsbEw8qDeG
dM/QAQCCFJPfnUyroTbccoXZJaiwerTL4jFfL6OGu0LKthDmWwD9EYzTBSug6i2R
iNqRnxUJYb6NdIxG9aRDW/NxAutWKQ0=
=Ddxl
-----END PGP SIGNATURE-----
--=-=-=--
--===============6784401759548404181==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
--===============6784401759548404181==--
