On Mon, Nov 21, 2016 at 10:03 AM, Alexander Bokovoy <abokovoy@xxxxxxxxxx> wrote: > On ma, 21 marras 2016, Florian Weimer wrote: >> >> On 11/21/2016 01:31 PM, Stephen Gallagher wrote: >> >> Thanks for your explanation. >> >>> So yes, we have protection against that. FreeIPA (which is backing this >>> solution) requires preauthentication for all user accounts. >> >> >> “That” meaning offline attacks without intercepted packets. With >> intercepted packets, offline attacks are still feasible, right? > > Right -- if you get initial exchange in the traditional Kerberos 5. > We have been working for several years already to reduce these > possibilities via different means: > - enablement for HTTPS-based tunnel for Kerberos flows based on > MS-KKDCP specification; > > - DNS-based announcement of Kerberos MS-KKDCP proxy using DNS URI; > > - SPAKE exchange support in MIT Kerberos (slated for 1.15-1.16) > > Fedora infrastructure uses MS-KKDCP proxy with Fedora certificate to > tunnel Kerberos 5 traffic. If you have recent Fedora, you'll get it used > automatically with the help of DNS URI. For older clients which don't > support DNS-based discovery you can configure MS-KKDCP proxy access > manually by stating 'kdc=https://id.fedoraproject.org/KdcProxy' for > FEDORAPROJECT.ORG realm. For very old clients that don't support > MS-KKDCP (RHEL 6, for example), you are back to use naked Kerberos 5 > traffic. > > Our effort is to get to SPAKE sooner than later. I'll be working with Robbie Harwood to implement SPAKE in the coming months. So let me add some clarification here. 1. Like Stephen said, preauth now prevents offline dictionary attack without interception. This has been true for years. 2. Offline dictionary attack is theoretically possible with MitM (though is somewhat mitigated by the added timestamp entropy). This can be further mitigated by using the HTTPS proxy as stated by Alexander. I am not aware of any successful attacks using this method. 3. SPAKE is a new technique to make this whole problem irrelevant (as well as provide an implicitly trusted tunnel for 2FA without additional trust anchors). The draft is available here: https://tools.ietf.org/html/draft-mccallum-kitten-krb-spake-preauth-00. A new draft is forthcoming shortly. SPAKE works like a normal Password-Authenticated Key Exchange, and thus is entirely protected from offline attacks the same way Diffie-Hellman is. There is already a 1FA implementation in an upstream branch which we are going to expand to support 2FA and then merge. The server-side will only land in newer Fedoras. However, should need arise, we might be able to backport the client-side as a plugin. I'm hoping to land this in F26. Nathaniel _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
