host/*@REALM tickets with ssh, DNS
Josh Huber
huber at alum.wpi.edu
Fri Aug 9 15:36:45 EDT 2002
eichin-krb at thok.org writes:
> Unless I'm vastly misunderstanding your terms, your understanding
> is, well, "inside out" at best.
Nope, you weren't misunderstanding my terms, I just had the procedure
completely wrong in my head.
> V4: no prove, just assert.
> V5: well, there's preauth, but it is weak; mostly, also assert.
>
> The ticket you get is encrypted in a key you are expected to have,
> namely string2key of your password.
This makes things _so_ much clearer -- thanks!
> [snip explanation]
Well, it makes perfect sense now.
> Google for "zanarotti attack" if you want to find details of the
> common security failure resulting from the assumption that being
> able to decrypt a kdc response in a key handed to you by a user
> means *anything*...
Thanks for the reference. After reading a little, I see now why this
is necessary.
Thanks,
--
Josh Huber
More information about the Kerberos
mailing list