Kerberos Password Sniffing

Frank O'Dwyer fod at
Sun Dec 1 05:58:30 EST 2002

Can you elaborate on the solutions that are being considered and what 
the timetable is?

Also at the risk of sounding curmudgeonly, what's the hold up? I and 
others have been banging on about this vulnerability for years now. Why 
does it take the announcement of a tool to light a fire under people, 
when the possibility of such a tool has been obvious and well documented 
in the literature for over 10 years, as have the various possible fixes?

There is also some breakdown in communication going on, since there are 
1000s of admins out there who have somehow got the message that Kerberos 
is "unsniffable". Which is true in theory (PKINIT etc), yet in practical 
terms is far from the truth.

I suppose we're lucky that this guy hasn't put a nice GUI on the tool.



Sam Hartman wrote:
> You should note that fixing offline dictionary attacks is a current
> work item of the Kerberos working group of the IETF; solutions are
> basically understood but need to be written up and implemented.
> ________________________________________________
> Kerberos mailing list           Kerberos at

More information about the Kerberos mailing list