diff options
Diffstat (limited to 'crypto/krb5/doc/html/admin/spake.html')
| -rw-r--r-- | crypto/krb5/doc/html/admin/spake.html | 197 |
1 files changed, 0 insertions, 197 deletions
diff --git a/crypto/krb5/doc/html/admin/spake.html b/crypto/krb5/doc/html/admin/spake.html deleted file mode 100644 index de215dfbc571..000000000000 --- a/crypto/krb5/doc/html/admin/spake.html +++ /dev/null @@ -1,197 +0,0 @@ -<!DOCTYPE html> - -<html lang="en" data-content_root="../"> - <head> - <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> - - <title>SPAKE Preauthentication — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../_static/pygments.css?v=fa44fd50" /> - <link rel="stylesheet" type="text/css" href="../_static/agogo.css?v=879f3c71" /> - <link rel="stylesheet" type="text/css" href="../_static/kerb.css?v=6a0b3979" /> - <script src="../_static/documentation_options.js?v=236fef3b"></script> - <script src="../_static/doctools.js?v=888ff710"></script> - <script src="../_static/sphinx_highlight.js?v=dc90522c"></script> - <link rel="author" title="About these documents" href="../about.html" /> - <link rel="index" title="Index" href="../genindex.html" /> - <link rel="search" title="Search" href="../search.html" /> - <link rel="copyright" title="Copyright" href="../copyright.html" /> - <link rel="next" title="Addressing dictionary attack risks" href="dictionary.html" /> - <link rel="prev" title="OTP Preauthentication" href="otp.html" /> - </head><body> - <div class="header-wrapper"> - <div class="header"> - - - <h1><a href="../index.html">MIT Kerberos Documentation</a></h1> - - <div class="rel"> - - <a href="../index.html" title="Full Table of Contents" - accesskey="C">Contents</a> | - <a href="otp.html" title="OTP Preauthentication" - accesskey="P">previous</a> | - <a href="dictionary.html" title="Addressing dictionary attack risks" - accesskey="N">next</a> | - <a href="../genindex.html" title="General Index" - accesskey="I">index</a> | - <a href="../search.html" title="Enter search criteria" - accesskey="S">Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__SPAKE Preauthentication">feedback</a> - </div> - </div> - </div> - - <div class="content-wrapper"> - <div class="content"> - <div class="document"> - - <div class="documentwrapper"> - <div class="bodywrapper"> - <div class="body" role="main"> - - <section id="spake-preauthentication"> -<span id="spake"></span><h1>SPAKE Preauthentication<a class="headerlink" href="#spake-preauthentication" title="Link to this heading">ΒΆ</a></h1> -<p>SPAKE preauthentication (added in release 1.17) uses public key -cryptography techniques to protect against <a class="reference internal" href="dictionary.html#dictionary"><span class="std std-ref">password dictionary -attacks</span></a>. Unlike <a class="reference internal" href="pkinit.html#pkinit"><span class="std std-ref">PKINIT</span></a>, it does not -require any additional infrastructure such as certificates; it simply -needs to be turned on. Using SPAKE preauthentication may modestly -increase the CPU and network load on the KDC.</p> -<p>SPAKE preauthentication can use one of four elliptic curve groups for -its password-authenticated key exchange. The recommended group is -<code class="docutils literal notranslate"><span class="pre">edwards25519</span></code>; three NIST curves (<code class="docutils literal notranslate"><span class="pre">P-256</span></code>, <code class="docutils literal notranslate"><span class="pre">P-384</span></code>, and -<code class="docutils literal notranslate"><span class="pre">P-521</span></code>) are also supported.</p> -<p>By default, SPAKE with the <code class="docutils literal notranslate"><span class="pre">edwards25519</span></code> group is enabled on -clients, but the KDC does not offer SPAKE by default. To turn it on, -set the <strong>spake_preauth_groups</strong> variable in <a class="reference internal" href="conf_files/krb5_conf.html#libdefaults"><span class="std std-ref">[libdefaults]</span></a> to a -list of allowed groups. This variable affects both the client and the -KDC. Simply setting it to <code class="docutils literal notranslate"><span class="pre">edwards25519</span></code> is recommended:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">libdefaults</span><span class="p">]</span> - <span class="n">spake_preauth_groups</span> <span class="o">=</span> <span class="n">edwards25519</span> -</pre></div> -</div> -<p>Set the <strong>+requires_preauth</strong> and <strong>-allow_svr</strong> flags on client -principal entries, as you would for any preauthentication mechanism:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">modprinc</span> <span class="o">+</span><span class="n">requires_preauth</span> <span class="o">-</span><span class="n">allow_svr</span> <span class="n">PRINCNAME</span> -</pre></div> -</div> -<p>Clients which do not implement SPAKE preauthentication will fall back -to encrypted timestamp.</p> -<p>An active attacker can force a fallback to encrypted timestamp by -modifying the initial KDC response, defeating the protection against -dictionary attacks. To prevent this fallback on clients which do -implement SPAKE preauthentication, set the -<strong>disable_encrypted_timestamp</strong> variable to <code class="docutils literal notranslate"><span class="pre">true</span></code> in the -<a class="reference internal" href="conf_files/krb5_conf.html#realms"><span class="std std-ref">[realms]</span></a> subsection for realms whose KDCs offer SPAKE -preauthentication.</p> -<p>By default, SPAKE preauthentication requires an extra network round -trip to the KDC during initial authentication. If most of the clients -in a realm support SPAKE, this extra round trip can be eliminated -using an optimistic challenge, by setting the -<strong>spake_preauth_kdc_challenge</strong> variable in <a class="reference internal" href="conf_files/kdc_conf.html#kdcdefaults"><span class="std std-ref">[kdcdefaults]</span></a> to a -single group name:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">kdcdefaults</span><span class="p">]</span> - <span class="n">spake_preauth_kdc_challenge</span> <span class="o">=</span> <span class="n">edwards25519</span> -</pre></div> -</div> -<p>Using optimistic challenge will cause the KDC to do extra work for -initial authentication requests that do not result in SPAKE -preauthentication, but will save work when SPAKE preauthentication is -used.</p> -</section> - - - <div class="clearer"></div> - </div> - </div> - </div> - </div> - <div class="sidebar"> - - <h2>On this page</h2> - <ul> -<li><a class="reference internal" href="#">SPAKE Preauthentication</a></li> -</ul> - - <br/> - <h2>Table of contents</h2> - <ul class="current"> -<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li> -<li class="toctree-l1 current"><a class="reference internal" href="index.html">For administrators</a><ul class="current"> -<li class="toctree-l2"><a class="reference internal" href="install.html">Installation guide</a></li> -<li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li> -<li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li> -<li class="toctree-l2"><a class="reference internal" href="database.html">Database administration</a></li> -<li class="toctree-l2"><a class="reference internal" href="dbtypes.html">Database types</a></li> -<li class="toctree-l2"><a class="reference internal" href="lockout.html">Account lockout</a></li> -<li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> -<li class="toctree-l2"><a class="reference internal" href="appl_servers.html">Application servers</a></li> -<li class="toctree-l2"><a class="reference internal" href="host_config.html">Host configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li> -<li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li> -<li class="toctree-l2 current"><a class="current reference internal" href="#">SPAKE Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="dictionary.html">Addressing dictionary attack risks</a></li> -<li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li> -<li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li> -<li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="auth_indicator.html">Authentication indicators</a></li> -<li class="toctree-l2"><a class="reference internal" href="admin_commands/index.html">Administration programs</a></li> -<li class="toctree-l2"><a class="reference internal" href="../mitK5defaults.html">MIT Kerberos defaults</a></li> -<li class="toctree-l2"><a class="reference internal" href="env_variables.html">Environment variables</a></li> -<li class="toctree-l2"><a class="reference internal" href="troubleshoot.html">Troubleshooting</a></li> -<li class="toctree-l2"><a class="reference internal" href="advanced/index.html">Advanced topics</a></li> -<li class="toctree-l2"><a class="reference internal" href="various_envs.html">Various links</a></li> -</ul> -</li> -<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li> -<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li> -<li class="toctree-l1"><a class="reference internal" href="../formats/index.html">Protocols and file formats</a></li> -<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li> -<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li> -<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li> -<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li> -</ul> - - <br/> - <h4><a href="../index.html">Full Table of Contents</a></h4> - <h4>Search</h4> - <form class="search" action="../search.html" method="get"> - <input type="text" name="q" size="18" /> - <input type="submit" value="Go" /> - <input type="hidden" name="check_keywords" value="yes" /> - <input type="hidden" name="area" value="default" /> - </form> - - </div> - <div class="clearer"></div> - </div> - </div> - - <div class="footer-wrapper"> - <div class="footer" > - <div class="right" ><i>Release: 1.22-final</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2025, MIT. - </div> - <div class="left"> - - <a href="../index.html" title="Full Table of Contents" - >Contents</a> | - <a href="otp.html" title="OTP Preauthentication" - >previous</a> | - <a href="dictionary.html" title="Addressing dictionary attack risks" - >next</a> | - <a href="../genindex.html" title="General Index" - >index</a> | - <a href="../search.html" title="Enter search criteria" - >Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__SPAKE Preauthentication">feedback</a> - </div> - </div> - </div> - - </body> -</html>
\ No newline at end of file |