[7658] in Kerberos
Re: kerberos to radius
daemon@ATHENA.MIT.EDU (Donald T. Davis)
Mon Jul 22 09:19:58 1996
To: layhua@singnet.com.sg
Cc: kerberos@MIT.EDU, don@cam.ov.com
Date: Mon, 22 Jul 1996 09:08:38 -0400
From: "Donald T. Davis" <don@cam.ov.com>
layhua@singnet.com.sg writes:
> How to ... port the kerberos database over to radius?
the radius spec says that radius is compatible with kerberos,
but the spec seems to assume that kerberos is simply a password
database-server. that is, the radius spec stipulates that the
radius server should get users' passwords from a separate kerberos
server, which is not possible, and would not be secure. by design,
kerberos has no api for exporting passwords to other services.
the only way such an api could be added securely, would be if
the krb server and the radius server were consolidated into a
single machine, and ideally into a single process.
however, it is possible to integrate the radius and kerberos v5
protocols more properly, without merging the servers, and without
violating either protocol. in brief, the idea is that:
* the tty server sends its challenge to the client,
* the radius server sends the same challenge to the kdc, as
preauthentication data,
* the kdc sends the correct resp, plus the user's tickets,
back to the radius server.
* the radius server forwards the tickets back to the client,
via the tty-server.
in the following diagram, single arrows represent hashed msgs
and plaintext, while double arrows represent encrypted msgs:
------------------------------------------------------------
<- CHAP -> <- RADIUS -> <-- KRBV5 -->
CLIENT TTY-SRV RADIUS-SRV KDC
------------------------------------------------------------
--- login? --->
<- challenge --
-- response ->
== chall+resp ==>
-- chall+tkt-req -->
<== resp+tickets ===
<== accept+tkts ==
<=== tkts ====
------------------------------------------------------------
it turns out that this all can happen without violating the
krb, radius, or chap protocols, because each provides format
extensions for application-specific data. note that:
* the radius server and tty-server never see the user's pw;
* the kdc handles the challenge & response as preauth-data;
* the user ends up with his krb tickets on his local machine;
* the krb server remains stateless;
* the radius server becomes stateful.
as far as i know, no one has built this integration of radius
with kerberos.
-don davis, boston
