SPAKE preauthentication (added in release 1.17) uses public key cryptography techniques to protect against
attacks <dictionary>. Unlike
PKINIT <pkinit>, it does not require any additional infrastructure such as certificates; it simply needs to be turned on. Using SPAKE preauthentication may modestly increase the CPU and network load on the KDC.
SPAKE preauthentication can use one of four elliptic curve groups for its password-authenticated key exchange. The recommended group is
edwards25519; three NIST curves (
P-521) are also supported.
By default, SPAKE with the
edwards25519 group is enabled on clients, but the KDC does not offer SPAKE by default. To turn it on, set the spake_preauth_groups variable in
libdefaults to a list of allowed groups. This variable affects both the client and the KDC. Simply setting it to
edwards25519 is recommended:
[libdefaults] spake_preauth_groups = edwards25519
Set the +requires_preauth and -allow_svr flags on client principal entries, as you would for any preauthentication mechanism:
kadmin: modprinc +requires_preauth -allow_srv PRINCNAME
Clients which do not implement SPAKE preauthentication will fall back to encrypted timestamp.
An active attacker can force a fallback to encrypted timestamp by modifying the initial KDC response, defeating the protection against dictionary attacks. To prevent this fallback on clients which do implement SPAKE preauthentication, set the disable_encrypted_timestamp variable to
true in the
realms subsection for realms whose KDCs offer SPAKE preauthentication.
By default, SPAKE preauthentication requires an extra network round trip to the KDC during initial authentication. If most of the clients in a realm support SPAKE, this extra round trip can be eliminated using an optimistic challenge, by setting the spake_preauth_kdc_challenge variable in
kdcdefaults to a single group name:
[kdcdefaults] spake_preauth_kdc_challenge = edwards25519
Using optimistic challenge will cause the KDC to do extra work for initial authentication requests that do not result in SPAKE preauthentication, but will save work when SPAKE preauthentication is used.