Re: upcoming build and release developer flag day December 12 2016

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 11/20/2016 08:50 AM, Florian Weimer wrote:
> On 11/20/2016 02:11 AM, Dennis Gilmore wrote:
>> koji authentication will be switching to Kerberos. Koji supports multiple
>> authentication mechanisms. Fedora infrastructure has set up a freeipa instance
>> internally that has credential syncing to fas. We are working on ensuring that
>> gssapi caching is supported so that you can have multiple TGT's and the
>> ability to work in multiple reams at once. you can get started today by doing
>> kinit <fas username>@FEDORAPROJECT.ORG if you move your ~/.fedora.cert file
>> out of the way authentication will still work.
> 
> Unfortunately, I do not know much about Kerberos.
> 
> As far as I understand it, the original Kerberos 5 specification did not protect
> the user password against offline brute-force attacks.  Due to the protocol is
> structured, it is not even necessary for an attacker to intercept any network
> packets; knowledge of the user name is sufficient to obtain data based on which
> you can start cracking the password.
> 
> Will we deploy any protection against that?

That offline attack is basically ancient history. What happened once upon a time
was that the client would just request a TGT (ticket granting ticket) from the
KDC (Key Distribution Center) and get back the resulting TGT immediately, with
the expectation that it was only usable if the user already knew the password.

Nowadays, basically every Kerberos implementation requires preauthentication,
which basically means that before it will send you the TGT, you have to send it
a packet encrypted with the right password. (Often this is something simple like
the current timestamp.) This proves to the KDC that you already know the password.

So yes, we have protection against that. FreeIPA (which is backing this
solution) requires preauthentication for all user accounts.

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux