I-D for a new method: EAP-Kerberos
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Mon Apr 4 21:39:43 CEST 2016
> On 4 Apr 2016, at 15:24, Rick van Rein <rick at openfortress.nl> wrote:
>
> Hi,
>
>> for ANY method that requires a password that goes through another system, the password
>> is known for the server agent - thats just how things are.
>
> Sure, but it's rarely as devastating as in the case of Kerberos, where it also implies decryption capability of all private traffic. Passing the Kerberos password through a 3rd party system is highly dis-advised within the Kerberos security model. Also, I don't think we should take this undesirable situation as a fait accompli if there are straightforward manners of doing this in a way that raises less security concerns. What is acceptable to some under a pragmatic attitude is unacceptable in other situations, e.g. when spreading functions over network partners.
>
>> work is already done for EAP kerberos - along with some other reuqiremens such as
>> server security pinning - I would suggest that you read the ABFAB IETF stuff
>> - 'Project Moonshot' was its original name - there is working software and FreeRADIUS 3
>> does it, for example
>
> I know ABFAB, and it is completely different from what I propose; it embeds EAP in GSS-API (making EAP an alternative to Kerberos5) while I'm proposing that EAP should carry Kerberos as one of its authentication methods (thereby following the line of thought underpinning EAP). The only relation with ABFAB is that it would be possible in theory to choose between GSS-API / Kerberos5 and GSS-API / EAP / Kerberos layerings (the latter of which would be silly).
I think EAP-Kerberos would be useful to bootstrap kerberos SSO during network login.
I've been waiting for someone to come up with standard for this for 10 years :)
-Arran
Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 872 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20160404/2d416246/attachment.sig>
More information about the Freeradius-Users
mailing list