host/*@REALM tickets with ssh, DNS

Josh Huber huber at alum.wpi.edu
Fri Aug 9 15:36:45 EDT 2002


eichin-krb at thok.org writes:

> Unless I'm vastly misunderstanding your terms, your understanding
> is, well, "inside out" at best.

Nope, you weren't misunderstanding my terms, I just had the procedure
completely wrong in my head.

> V4: no prove, just assert.
> V5: well, there's preauth, but it is weak; mostly, also assert.
>
> The ticket you get is encrypted in a key you are expected to have,
> namely string2key of your password.

This makes things _so_ much clearer -- thanks!

> [snip explanation]

Well, it makes perfect sense now.

> Google for "zanarotti attack" if you want to find details of the
> common security failure resulting from the assumption that being
> able to decrypt a kdc response in a key handed to you by a user
> means *anything*...

Thanks for the reference.  After reading a little, I see now why this
is necessary.

Thanks,

-- 
Josh Huber





More information about the Kerberos mailing list