[Ach] Kerberos section, out of scope or desirable?

Alexander Wuerstlein arw at cs.fau.de
Wed Jan 1 17:55:27 CET 2014


after reading the current draft PDF, I've noticed Appendix E, "Further
Research", where "We encourage input from the Internet community" is
mentioned along with Kerberos. Since I am interested in working on a
Kerberos section, I've read the TODO.txt file in the git repo, where it
says, introduced in commit 5e4ce69dc4: "* Kerberos --> out of scope".

Does 'out of scope' mean that Kerberos will not be discussed in a
further version of the document? If so, what criteria exclude Kerberos
from the scope of the document? It may be rarely used in private
environments but it is a common occurence in businesses and other

As for the contents of a Kerberos section, I would roughly include the

- initial configuration of a MIT KDC, supported_enctypes limited to
  aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96 and
  camellia256-cts-cmac, camellia128-cts-cmac 
- Mention interoperability concerns that might necessitate further
  ciphers for "legacy" setups.
- Suggest MIT defaults as sensible (but explicitly specified) defaults
  for lifetimes
- similarly for a MIT client: set a sensible list of enctypes as above.
- disable Kerberos 4 (insecure and obsolete), discourage dns_lookup_kdc
  (possible DoS, do you consider this a problem?)

Later, more aspects can be included:
- Configuration of MS ActiveDirectory, e.g. by referencing
  and similar documents
- Heimdal and GNU Shishi Kerberos implementations
- suggest migration paths for setups with legacy DES, 3DES and RC4
  principals, e.g. by forcing a password change for such principals

Things that I would exclude (at least at first):
- X.509/pkinit and SmartCard integration
- LDAP/DB2 KDC backends
- Kerberos client security (e.g. NFSv4 configuration)


Alexander Wuerstlein.

More information about the Ach mailing list