Hi,
This is very disappointing. In the symmetric-key discipline of Kerberos, every derived key can be uncovered once the initial password is known. Sending the initial password through RADIUS, it suddenly becomes a third party able to decrypt ALL of a user's traffic! Moreover, directly using the password is a trick and has its limitations -- it won't work with PKINIT for example, as used under Windows smart card logon.
for ANY method that requires a password that goes through another system, the password is known for the server agent - thats just how things are.
I would argue that having a real EAP-Kerberos method is long overdue. Does this list agree that it would be useful to have such a method embedded within EAP?
I have written an Internet Draft to define an EAP-Kerberos mechanism, and would be interested in feedback on it. If we establish consensus I would like to register it officially as a new EAP Method. So please, comment on it?
https://datatracker.ietf.org/doc/draft-vanrein-eap-kerberos/
work is already done for EAP kerberos - along with some other reuqiremens such as server security pinning - I would suggest that you read the ABFAB IETF stuff - 'Project Moonshot' was its original name - there is working software and FreeRADIUS 3 does it, for example https://tools.ietf.org/html/rfc7055 alan