On 11/20/2016 08:50 AM, Florian Weimer wrote: > On 11/20/2016 02:11 AM, Dennis Gilmore wrote: >> koji authentication will be switching to Kerberos. Koji supports multiple >> authentication mechanisms. Fedora infrastructure has set up a freeipa >> instance >> internally that has credential syncing to fas. We are working on ensuring >> that >> gssapi caching is supported so that you can have multiple TGT's and the >> ability to work in multiple reams at once. you can get started today by doing >> kinit <fas username>@FEDORAPROJECT.ORG if you move your ~/.fedora.cert file >> out of the way authentication will still work. > > Unfortunately, I do not know much about Kerberos. > > As far as I understand it, the original Kerberos 5 specification did not > protect > the user password against offline brute-force attacks. Due to the protocol is > structured, it is not even necessary for an attacker to intercept any network > packets; knowledge of the user name is sufficient to obtain data based on > which > you can start cracking the password. > > Will we deploy any protection against that?
That offline attack is basically ancient history. What happened once upon a time was that the client would just request a TGT (ticket granting ticket) from the KDC (Key Distribution Center) and get back the resulting TGT immediately, with the expectation that it was only usable if the user already knew the password. Nowadays, basically every Kerberos implementation requires preauthentication, which basically means that before it will send you the TGT, you have to send it a packet encrypted with the right password. (Often this is something simple like the current timestamp.) This proves to the KDC that you already know the password. So yes, we have protection against that. FreeIPA (which is backing this solution) requires preauthentication for all user accounts.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
