Re: [kitten] Non-Password Password Change
"Henry B (Hank) Hotz, CISSP" <hbhotz@oxy.edu> Thu, 15 October 2015 23:19 UTC
Return-Path: <hbhotz@oxy.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E5D5A1A036F for <kitten@ietfa.amsl.com>; Thu, 15 Oct 2015 16:19:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9Vyz0sYhlvpg for <kitten@ietfa.amsl.com>; Thu, 15 Oct 2015 16:19:39 -0700 (PDT)
Received: from mailout.easymail.ca (mailout.easymail.ca [64.68.201.169]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 487A51A036E for <kitten@ietf.org>; Thu, 15 Oct 2015 16:19:39 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mailout.easymail.ca (Postfix) with ESMTP id 118D0E42F; Thu, 15 Oct 2015 19:19:36 -0400 (EDT)
X-Virus-Scanned: Debian amavisd-new at mailout.easymail.ca
Received: from mailout.easymail.ca ([127.0.0.1]) by localhost (easymail-mailout.easydns.vpn [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SHKvsXxQGKx3; Thu, 15 Oct 2015 19:19:35 -0400 (EDT)
Received: from [192.168.1.180] (wsip-70-184-69-253.oc.oc.cox.net [70.184.69.253]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mailout.easymail.ca (Postfix) with ESMTPSA id 473A5E41D; Thu, 15 Oct 2015 19:19:35 -0400 (EDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
From: "Henry B (Hank) Hotz, CISSP" <hbhotz@oxy.edu>
In-Reply-To: <56201FF6.4070902@mit.edu>
Date: Thu, 15 Oct 2015 16:19:34 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <E4A08531-53D5-4FF8-AFA0-8A1928CDF9B7@oxy.edu>
References: <63860D22-138C-430F-B615-06CBB14654CC@oxy.edu> <56201FF6.4070902@mit.edu>
To: Greg Hudson <ghudson@MIT.EDU>
X-Mailer: Apple Mail (2.2104)
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/fSufTVLa-Udpf0yZi2zNLrNAw94>
Cc: kitten@ietf.org
Subject: Re: [kitten] Non-Password Password Change
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Oct 2015 23:19:41 -0000
> On Oct 15, 2015, at 2:51 PM, Greg Hudson <ghudson@MIT.EDU> wrote: > > On 10/15/2015 03:59 PM, Henry B (Hank) Hotz, CISSP wrote: >> There’s been work on improved password change protocols, but I’m not sure how much actually completed. I also remember once suggesting that loading a KDB entry from a keytab file would be useful, at least for handling cross-realm principals. > > I believe the most recent work is: > > https://tools.ietf.org/html/draft-ietf-krb-wg-kerberos-set-passwd-08 > > I vaguely recall an explicit decision not to continue with that work > because no one believed they were likely to implement it. I see a set_keys() operation in there. I don’t think I’m likely to implement it though. >> Are there any password change protocols where you can supply the enctype and a key instead of a text password? > > This is probably obvious, but any such facility allows the client to > circumvent password policies, and therefore usually require special > permissions. Given PKINIT and FAST/OTP, all you need is a policy which says NO-PASSWORDS. ;-) > I believe you are correct that in current implementations, the only way > to do that is via implementation-specific admin interfaces. > > Another mode I would find interesting is one where the server makes up a > new password and tells you what it is. I don't know if it would get > much use (I've never seen passwords managed that way in any > environment), but it seems like a reasonable way to mitigate risk. I once built a service which chose users’ passwords and emailed them to them. I didn’t have to implement any set/change password functionality and the reset function was dead simple. The above draft supports it. What would be nice is if you could update application servers' keytabs *before* the kdc started issuing tickets with the new keys. Personal: hbhotz@oxy.edu Business: hhotz@securechannels.com
- [kitten] Non-Password Password Change Henry B (Hank) Hotz, CISSP
- Re: [kitten] Non-Password Password Change Greg Hudson
- Re: [kitten] Non-Password Password Change Henry B (Hank) Hotz, CISSP
- Re: [kitten] Non-Password Password Change D.Rogers
- Re: [kitten] Non-Password Password Change Nico Williams