Re: upcoming build and release developer flag day December 12 2016

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On ma, 21 marras 2016, Florian Weimer wrote:
On 11/21/2016 01:31 PM, Stephen Gallagher wrote:

Thanks for your explanation.

So yes, we have protection against that. FreeIPA (which is backing this
solution) requires preauthentication for all user accounts.

“That” meaning offline attacks without intercepted packets. With intercepted packets, offline attacks are still feasible, right?
Right -- if you get initial exchange in the traditional Kerberos 5.
We have been working for several years already to reduce these
possibilities via different means:
- enablement for HTTPS-based tunnel for Kerberos flows based on
  MS-KKDCP specification;

- DNS-based announcement of Kerberos MS-KKDCP proxy using DNS URI;

- SPAKE exchange support in MIT Kerberos (slated for 1.15-1.16)

Fedora infrastructure uses MS-KKDCP proxy with Fedora certificate to
tunnel Kerberos 5 traffic. If you have recent Fedora, you'll get it used
automatically with the help of DNS URI. For older clients which don't
support DNS-based discovery you can configure MS-KKDCP proxy access
manually by stating 'kdc=https://id.fedoraproject.org/KdcProxy' for
FEDORAPROJECT.ORG realm. For very old clients that don't support
MS-KKDCP (RHEL 6, for example), you are back to use naked Kerberos 5
traffic.

Our effort is to get to SPAKE sooner than later.

--
/ Alexander Bokovoy
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux