2

I would like to use Kerberos with FreeRADIUS, but I don't want FreeRADIUS to have access to any passwords (hashed or otherwise), especially because such passwords may not exist if smart card authentication is used. I would much prefer for FreeRADIUS to only have access to Kerberos tickets. How can I do this?

Demi
  • 788
  • 2
  • 10
  • 20

1 Answers1

4

No, unfortunately not. It's not a limitation in FreeRADIUS as much as there's no EAP method which supports Kerberos natively. The only way to do kerberos login with RADIUS is to use an EAP method that provides the credentials in the clear, and then use those to decrypt the TGT on the RADIUS server.

I've been lamenting this fact for the past 10 years, as SSO between the network layer and applications would be awesome. Unfortunately, there seems to be so much inertia in the industry that we're unlikely to ever get such an EAP method, especially as we're past peak Kerberos.

Arran Cudbard-Bell
  • 176
  • 4
  • Could FreeRADIUS be patched to use a bespoke method? – Demi Sep 14 '18 at 02:52
  • Or could the ticket be used to encrypt a 1-time password? – Demi Sep 14 '18 at 02:53
  • There seems to be [an old draft for EAP-GSS](https://tools.ietf.org/html/draft-aboba-pppext-eapgss-12), at least. (I also find it unfortunate that nobody seems to care about Kerberos, and wants GSS-EAP instead.) – u1686_grawity Sep 14 '18 at 04:33
  • @Demi: If you have smartcards, they should be able to handle EAP-TLS or some other client-certificate-based mechanism _directly_, no? – u1686_grawity Sep 14 '18 at 04:34
  • 2
    You'd need supplicant side integration for the smart card reader, but yes, there's absolutely no reason why a smartcard-based system wouldn't work with EAP-TLS. – Arran Cudbard-Bell Sep 14 '18 at 07:45
  • @Demi Regarding custom EAP-Methods. No patching necessary in terms of the server core. FreeRADIUS loads pluggable modules (like rlm_eap) on startup, and you can easily develop your own EAP methods (rlm_eap_kerberos) if you wanted to try something custom. I don't know what the state of pluggable modules is on the wpa_supplicant side though. – Arran Cudbard-Bell Sep 14 '18 at 07:48
  • @grawity Yes, they absolutely should be (you can use the same certificate and private key for both EAP-TLS and AD logon, right?). – Demi Sep 15 '18 at 00:32
  • For EAP-TLS – Windows' built-in supplicant inherits smart card support from the system. wpa_supplicant has had PKCS#11 support for a while, now it accepts `pkcs11:` URLs directly in the certificate= field. So as long as the certificate has the needed extendedKeyUsage (which it probably already does), then it _should_ work. – u1686_grawity Sep 15 '18 at 08:18