Question about FAST
kristian
x_astroboyz at yahoo.co.id
Sat Jun 26 06:39:12 EDT 2010
On Sat, 26/6/10, Greg Hudson <ghudson at MIT.EDU> wrote
>I haven't personally tried to do this, so I'm not sure why John the
>Ripper wouldn't be working. Note that if your user principals require
>preauth, you'd want to attack the second AS-REQ or second AS-REP; if
>they don't require preauth, you'd want to attack the first AS-REP.
Well, I have used AS-REP to be decrypted with john the ripper, but the hex code gotten from it is really different with example in TGT-Krb5 used by this tool, different in length I mean. AS-REP I got has longer hex code. May be I take wrong string from this hex to be decrypted, but I don't know the correct ones
>One can integrate FAST with a Unix login system using the most recent
>release of pam_krb5
>(http://www.eyrie.org/~eagle/software/pam-krb5/pam-krb5.html) in
>combination with a program like k5start to maintain the armor ccache
>using the host keytab.
I tried to install pam-krb5-4.3 in my freebsd machine (not by ports, because version pam-krb in the port is older) and when I type command configure, I paid attention on this lines :
checking k5profile.h usability... no
checking k5profile.h presence... no
checking for k5profile.h... no
checking for krb5_creds.session... yes
checking for krb5_appdefault_string...
yes
checking for krb5_get_init_creds_opt_alloc... no
checking for krb5_get_init_creds_opt_set_change_password_prompt... no
checking for krb5_get_init_creds_opt_set_default_flags... yes
checking for krb5_get_init_creds_opt_set_fast_ccache_name... no
checking for krb5_get_init_creds_opt_set_pa... no
checking for krb5_init_secure_context... no
checking for krb5_verify_init_creds_opt_init... yes
checking for krb5_get_init_creds_opt_set_pkinit... no
checking for krb5_get_init_creds_opt_free... no
there are some 'no's, and the set_fast_ccache_name is included. I guess it will fail to use FAST in kerberos/pam. How's about that ?
>If you're adventurous enough to use trunk code (the stuff destined to
>become krb5 1.9), you can use KRB5_TRACE to get a little insight into
>what's going on.
Well, then it seems that I have to install krb5.1.9. I'll try.
Additionally, there is not option -T in original kinit of kerberos I use now
More information about the krbdev
mailing list