[20497] in Kerberos_V5_Development
Re: responding to BlastRadius
daemon@ATHENA.MIT.EDU (Alexander Bokovoy)
Wed Jul 10 02:14:48 2024
Date: Wed, 10 Jul 2024 09:14:29 +0300
From: Alexander Bokovoy <abokovoy@redhat.com>
To: Sam Hartman <hartmans@debian.org>
Cc: krbdev@mit.edu
Message-ID: <Zo4mxVzlCBAnG6gH@redhat.com>
MIME-Version: 1.0
In-Reply-To: <tslwmlu480p.fsf@suchdamage.org>
Content-Disposition: inline
Content-Type: text/plain; charset="utf-8"; Format="flowed"
Errors-To: krbdev-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On Аўт, 09 ліп 2024, Sam Hartman wrote:
>
>So, I'e always been uncomfortable with the decision to have a KDC
>talking to a RADIUS server.
>But it looks like another round of attention is being focused on RADIUS
>vulnerabilities: https://www.blastradius.fail/
>
>I tend to agree with the title of the paper: RADIUS over UDP considered
>harmful.
>
>I've always been confused why Kerberos started its journey into RADIUS
>land with a library that did not support TLS.
>I guess the argument was that the proprietary RADIUS servers for some
>OTP applications didn't support anything better.
>And perhaps that's still true.
>So perhaps there's nothing we can do.
>But it at least seems like a good time to revisit the use of RADIUS and
>ask ourselves whether there are changes or recommendations we should be
>making.
In the default configuration we talk to a UNIX domain socket over
RADIUS, not to some UDP/TCP-backed server. This is what FreeIPA KDC does
use to implement all (except PKINIT) passwordless pre-authentication
methods. When talking locally over UNIX domain socket, we inheretly
trust the other side and being on the same system, we control its setup.
It would be good to have RFC 6613 (RADIUS over TCP), RFC 6614 (RADIUS
over TLS), and RFC 7930 (Large packets for RADIUS over TCP) supported.
But I feel the support for them can be moved away to that UNIX domain
socket responder part as well and handled there.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev