1*7f2fe78bSCy Schubert.. _spake: 2*7f2fe78bSCy Schubert 3*7f2fe78bSCy SchubertSPAKE Preauthentication 4*7f2fe78bSCy Schubert======================= 5*7f2fe78bSCy Schubert 6*7f2fe78bSCy SchubertSPAKE preauthentication (added in release 1.17) uses public key 7*7f2fe78bSCy Schubertcryptography techniques to protect against :ref:`password dictionary 8*7f2fe78bSCy Schubertattacks <dictionary>`. Unlike :ref:`PKINIT <pkinit>`, it does not 9*7f2fe78bSCy Schubertrequire any additional infrastructure such as certificates; it simply 10*7f2fe78bSCy Schubertneeds to be turned on. Using SPAKE preauthentication may modestly 11*7f2fe78bSCy Schubertincrease the CPU and network load on the KDC. 12*7f2fe78bSCy Schubert 13*7f2fe78bSCy SchubertSPAKE preauthentication can use one of four elliptic curve groups for 14*7f2fe78bSCy Schubertits password-authenticated key exchange. The recommended group is 15*7f2fe78bSCy Schubert``edwards25519``; three NIST curves (``P-256``, ``P-384``, and 16*7f2fe78bSCy Schubert``P-521``) are also supported. 17*7f2fe78bSCy Schubert 18*7f2fe78bSCy SchubertBy default, SPAKE with the ``edwards25519`` group is enabled on 19*7f2fe78bSCy Schubertclients, but the KDC does not offer SPAKE by default. To turn it on, 20*7f2fe78bSCy Schubertset the **spake_preauth_groups** variable in :ref:`libdefaults` to a 21*7f2fe78bSCy Schubertlist of allowed groups. This variable affects both the client and the 22*7f2fe78bSCy SchubertKDC. Simply setting it to ``edwards25519`` is recommended:: 23*7f2fe78bSCy Schubert 24*7f2fe78bSCy Schubert [libdefaults] 25*7f2fe78bSCy Schubert spake_preauth_groups = edwards25519 26*7f2fe78bSCy Schubert 27*7f2fe78bSCy SchubertSet the **+requires_preauth** and **-allow_svr** flags on client 28*7f2fe78bSCy Schubertprincipal entries, as you would for any preauthentication mechanism:: 29*7f2fe78bSCy Schubert 30*7f2fe78bSCy Schubert kadmin: modprinc +requires_preauth -allow_svr PRINCNAME 31*7f2fe78bSCy Schubert 32*7f2fe78bSCy SchubertClients which do not implement SPAKE preauthentication will fall back 33*7f2fe78bSCy Schubertto encrypted timestamp. 34*7f2fe78bSCy Schubert 35*7f2fe78bSCy SchubertAn active attacker can force a fallback to encrypted timestamp by 36*7f2fe78bSCy Schubertmodifying the initial KDC response, defeating the protection against 37*7f2fe78bSCy Schubertdictionary attacks. To prevent this fallback on clients which do 38*7f2fe78bSCy Schubertimplement SPAKE preauthentication, set the 39*7f2fe78bSCy Schubert**disable_encrypted_timestamp** variable to ``true`` in the 40*7f2fe78bSCy Schubert:ref:`realms` subsection for realms whose KDCs offer SPAKE 41*7f2fe78bSCy Schubertpreauthentication. 42*7f2fe78bSCy Schubert 43*7f2fe78bSCy SchubertBy default, SPAKE preauthentication requires an extra network round 44*7f2fe78bSCy Schuberttrip to the KDC during initial authentication. If most of the clients 45*7f2fe78bSCy Schubertin a realm support SPAKE, this extra round trip can be eliminated 46*7f2fe78bSCy Schubertusing an optimistic challenge, by setting the 47*7f2fe78bSCy Schubert**spake_preauth_kdc_challenge** variable in :ref:`kdcdefaults` to a 48*7f2fe78bSCy Schubertsingle group name:: 49*7f2fe78bSCy Schubert 50*7f2fe78bSCy Schubert [kdcdefaults] 51*7f2fe78bSCy Schubert spake_preauth_kdc_challenge = edwards25519 52*7f2fe78bSCy Schubert 53*7f2fe78bSCy SchubertUsing optimistic challenge will cause the KDC to do extra work for 54*7f2fe78bSCy Schubertinitial authentication requests that do not result in SPAKE 55*7f2fe78bSCy Schubertpreauthentication, but will save work when SPAKE preauthentication is 56*7f2fe78bSCy Schubertused. 57