From: kerberos-boun...@mit.edu on behalf of Robbie
Harwood
Sent: Thursday, January 10, 2019 2:18 PM
To: Grant Taylor; kerberos@mit.edu
Subject: Re: Kerberos n00b question.
Grant Taylor writes:
>> You don't have to recreate them, but yes, it's a good idea to set
>> +requires_preauth. Setting
Grant Taylor writes:
> On 1/8/19 6:02 PM, Robbie Harwood wrote:
>
>> Also! 2FA will mitigate this concern somewhat as well.
>
> I was wondering about 2nd factor authentication. I have a YubiKey
> that's waiting for my attention.
>
> Would I be correct in assuming that (from a Kerberos point of
Grant Taylor writes:
> On 1/8/19 6:02 PM, Robbie Harwood wrote:
>
>> It still reduces to the security of a password (the one locking the
>> random key).
>
> I agree that the passwords are the weakest link. But I thought
> (hoped) that it would bolster the strength of the (derived) key that
> Ke
Russ Allbery writes:
> Robbie Harwood writes:
>
>> Also! 2FA will mitigate this concern somewhat as well. krb5 is
>> prepared to hand off to a RADIUS responder for OTP (freeIPA uses
>> this, which I know you're not interested in but is meaningful as a
>> PoC); you can then use something like f