|
Packit |
fd8b60 |
.. _spake:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
SPAKE Preauthentication
|
|
Packit |
fd8b60 |
=======================
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
SPAKE preauthentication (added in release 1.17) uses public key
|
|
Packit |
fd8b60 |
cryptography techniques to protect against :ref:`password dictionary
|
|
Packit |
fd8b60 |
attacks <dictionary>`. Unlike :ref:`PKINIT <pkinit>`, it does not
|
|
Packit |
fd8b60 |
require any additional infrastructure such as certificates; it simply
|
|
Packit |
fd8b60 |
needs to be turned on. Using SPAKE preauthentication may modestly
|
|
Packit |
fd8b60 |
increase the CPU and network load on the KDC.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
SPAKE preauthentication can use one of four elliptic curve groups for
|
|
Packit |
fd8b60 |
its password-authenticated key exchange. The recommended group is
|
|
Packit |
fd8b60 |
``edwards25519``; three NIST curves (``P-256``, ``P-384``, and
|
|
Packit |
fd8b60 |
``P-521``) are also supported.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
By default, SPAKE with the ``edwards25519`` group is enabled on
|
|
Packit |
fd8b60 |
clients, but the KDC does not offer SPAKE by default. To turn it on,
|
|
Packit |
fd8b60 |
set the **spake_preauth_groups** variable in :ref:`libdefaults` to a
|
|
Packit |
fd8b60 |
list of allowed groups. This variable affects both the client and the
|
|
Packit |
fd8b60 |
KDC. Simply setting it to ``edwards25519`` is recommended::
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
[libdefaults]
|
|
Packit |
fd8b60 |
spake_preauth_groups = edwards25519
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Set the **+requires_preauth** and **-allow_svr** flags on client
|
|
Packit |
fd8b60 |
principal entries, as you would for any preauthentication mechanism::
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
kadmin: modprinc +requires_preauth -allow_svr PRINCNAME
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Clients which do not implement SPAKE preauthentication will fall back
|
|
Packit |
fd8b60 |
to encrypted timestamp.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
An active attacker can force a fallback to encrypted timestamp by
|
|
Packit |
fd8b60 |
modifying the initial KDC response, defeating the protection against
|
|
Packit |
fd8b60 |
dictionary attacks. To prevent this fallback on clients which do
|
|
Packit |
fd8b60 |
implement SPAKE preauthentication, set the
|
|
Packit |
fd8b60 |
**disable_encrypted_timestamp** variable to ``true`` in the
|
|
Packit |
fd8b60 |
:ref:`realms` subsection for realms whose KDCs offer SPAKE
|
|
Packit |
fd8b60 |
preauthentication.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
By default, SPAKE preauthentication requires an extra network round
|
|
Packit |
fd8b60 |
trip to the KDC during initial authentication. If most of the clients
|
|
Packit |
fd8b60 |
in a realm support SPAKE, this extra round trip can be eliminated
|
|
Packit |
fd8b60 |
using an optimistic challenge, by setting the
|
|
Packit |
fd8b60 |
**spake_preauth_kdc_challenge** variable in :ref:`kdcdefaults` to a
|
|
Packit |
fd8b60 |
single group name::
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
[kdcdefaults]
|
|
Packit |
fd8b60 |
spake_preauth_kdc_challenge = edwards25519
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Using optimistic challenge will cause the KDC to do extra work for
|
|
Packit |
fd8b60 |
initial authentication requests that do not result in SPAKE
|
|
Packit |
fd8b60 |
preauthentication, but will save work when SPAKE preauthentication is
|
|
Packit |
fd8b60 |
used.
|