Robbie Harwood <rharw...@redhat.com> writes: > Also! 2FA will mitigate this concern somewhat as well. krb5 is > prepared to hand off to a RADIUS responder for OTP (freeIPA uses this, > which I know you're not interested in but is meaningful as a PoC); you > can then use something like freeOTP or a physical 2fa token for > acquiring additional credentials.
I wonder how hard it would be to add WebAuthn as a preauth mechanism for Kerberos as part of a FAST chain. HOTP/TOTP don't have the greatest security properties, even though most Kerberos use cases are inherently less vulnerable to phishing than the typical web authentication use. > Apologies. I consider Kerberos (with preauth and strong passwords) safe > for internet use, as I imagine the rest of us on here do as well. Internet use is very common in the Kerberos community. It is somewhat vulnerable to weak user passwords, but I'd probably invest my effort in FAST via anonymous PKINIT to solve that problem instead of network tunnels. -- Russ Allbery (ea...@eyrie.org) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
