[Ach] Kerberos section, out of scope or desirable?
Alexander Wuerstlein
arw at cs.fau.de
Wed Jan 1 17:55:27 CET 2014
Hello,
after reading the current draft PDF, I've noticed Appendix E, "Further
Research", where "We encourage input from the Internet community" is
mentioned along with Kerberos. Since I am interested in working on a
Kerberos section, I've read the TODO.txt file in the git repo, where it
says, introduced in commit 5e4ce69dc4: "* Kerberos --> out of scope".
Does 'out of scope' mean that Kerberos will not be discussed in a
further version of the document? If so, what criteria exclude Kerberos
from the scope of the document? It may be rarely used in private
environments but it is a common occurence in businesses and other
institutions.
As for the contents of a Kerberos section, I would roughly include the
following:
- initial configuration of a MIT KDC, supported_enctypes limited to
aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96 and
camellia256-cts-cmac, camellia128-cts-cmac
- Mention interoperability concerns that might necessitate further
ciphers for "legacy" setups.
- Suggest MIT defaults as sensible (but explicitly specified) defaults
for lifetimes
- similarly for a MIT client: set a sensible list of enctypes as above.
- disable Kerberos 4 (insecure and obsolete), discourage dns_lookup_kdc
(possible DoS, do you consider this a problem?)
Later, more aspects can be included:
- Configuration of MS ActiveDirectory, e.g. by referencing
http://blogs.technet.com/b/askds/archive/2010/10/19/hunting-down-des-in-order-to-securely-deploy-kerberos.aspx
and similar documents
- Heimdal and GNU Shishi Kerberos implementations
- suggest migration paths for setups with legacy DES, 3DES and RC4
principals, e.g. by forcing a password change for such principals
Things that I would exclude (at least at first):
- X.509/pkinit and SmartCard integration
- LDAP/DB2 KDC backends
- Kerberos client security (e.g. NFSv4 configuration)
Ciao,
Alexander Wuerstlein.
More information about the Ach
mailing list