Grant Taylor <gtay...@tnetconsulting.net> writes: > On 1/8/19 6:22 PM, Russ Allbery wrote:
>> Internet use is very common in the Kerberos community. > Does this include client <-> KDC? Yes. A lot of higher education institutions that have used Kerberos for many, many years have their KDCs directly on the Internet and allow clients to authenticate from anywhere. > My cursory reading makes me think that FAST is what provides the > security (by encrypting more things through the Fast and Secure Tunnel) > using parameters derived via PKINIT. PKINIT is just a replacement preauth mechanism, instead of enc-timestamp. Basically, the client uses an X.509 authentication instead of a proof of key possession as the preauthentication step to establish a shared session secret that is used to encrypt the TGT. (This may not be 100% accurate; it's been a while since I dug into the protocol.) FAST is a replacement for the whole preauth step. It uses some pre-existing shared session key between the KDC and the client to encrypt the whole preauthentication exchange. Inside of that, you can use various preauthentication mechanisms. Where they usefully combine is in how to get that pre-existing shared session key to be able to start using FAST. This is a chicken-and-egg problem with traditional Kerberos: you have to authenticate first in order to authenticate. You can, for instance, use the local host key (which is probably randomly generated and therefore safer to use in a direct exchange with the KDC) to get a session key to start FAST, and then do preauthentication with the (weaker) password-derived key. Anonymous PKINIT lets you out of that trap by letting the client "authenticate" with anonymous Diffie-Hellman to the KDC. This doesn't establish any meaningful identity, but it *does* get you a shared session key, and with that you can start FAST, and use it to protect any subsequent preauthentication exchange. Note that you can enable anonymous PKINIT even if you don't otherwise use PKINIT and don't have any client certificates. (You ideally do have a KDC certificate, though, that the clients know about.) -- Russ Allbery (ea...@eyrie.org) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
