I-D for a new method: EAP-Kerberos
Rick van Rein
rick at openfortress.nl
Mon Mar 14 00:01:13 CET 2016
Hello,
I've long wondered how Kerberos integration with RADIUS works; only recently did
I understand that it answers to a PAP inquiry that uses the KDC as a password
oracle.
This is very disappointing. In the symmetric-key discipline of Kerberos, every
derived key can be uncovered once the initial password is known. Sending the
initial password through RADIUS, it suddenly becomes a third party able to
decrypt ALL of a user's traffic! Moreover, directly using the password is a
trick and has its limitations -- it won't work with PKINIT for example, as used
under Windows smart card logon.
I would argue that having a real EAP-Kerberos method is long overdue. Does this
list agree that it would be useful to have such a method embedded within EAP?
I have written an Internet Draft to define an EAP-Kerberos mechanism, and would
be interested in feedback on it. If we establish consensus I would like to
register it officially as a new EAP Method. So please, comment on it?
https://datatracker.ietf.org/doc/draft-vanrein-eap-kerberos/
Thanks,
Rick van Rein
OpenFortress.nl / ARPA2.net
More information about the Freeradius-Users
mailing list