I-D for a new method: EAP-Kerberos
A.L.M.Buxey at lboro.ac.uk
A.L.M.Buxey at lboro.ac.uk
Mon Mar 14 11:19:35 CET 2016
Hi,
> This is very disappointing. In the symmetric-key discipline of Kerberos, every
> derived key can be uncovered once the initial password is known. Sending the
> initial password through RADIUS, it suddenly becomes a third party able to
> decrypt ALL of a user's traffic! Moreover, directly using the password is a
> trick and has its limitations -- it won't work with PKINIT for example, as used
> under Windows smart card logon.
for ANY method that requires a password that goes through another system, the password
is known for the server agent - thats just how things are.
> I would argue that having a real EAP-Kerberos method is long overdue. Does this
> list agree that it would be useful to have such a method embedded within EAP?
>
> I have written an Internet Draft to define an EAP-Kerberos mechanism, and would
> be interested in feedback on it. If we establish consensus I would like to
> register it officially as a new EAP Method. So please, comment on it?
>
> https://datatracker.ietf.org/doc/draft-vanrein-eap-kerberos/
work is already done for EAP kerberos - along with some other reuqiremens such as
server security pinning - I would suggest that you read the ABFAB IETF stuff
- 'Project Moonshot' was its original name - there is working software and FreeRADIUS 3
does it, for example
https://tools.ietf.org/html/rfc7055
alan
More information about the Freeradius-Users
mailing list