Kerberos Password Sniffing
Frank O'Dwyer
fod at brd.ie
Sun Dec 1 05:58:30 EST 2002
Can you elaborate on the solutions that are being considered and what
the timetable is?
Also at the risk of sounding curmudgeonly, what's the hold up? I and
others have been banging on about this vulnerability for years now. Why
does it take the announcement of a tool to light a fire under people,
when the possibility of such a tool has been obvious and well documented
in the literature for over 10 years, as have the various possible fixes?
There is also some breakdown in communication going on, since there are
1000s of admins out there who have somehow got the message that Kerberos
is "unsniffable". Which is true in theory (PKINIT etc), yet in practical
terms is far from the truth.
I suppose we're lucky that this guy hasn't put a nice GUI on the tool.
Yet.
Cheers,
Frank.
Sam Hartman wrote:
> You should note that fixing offline dictionary attacks is a current
> work item of the Kerberos working group of the IETF; solutions are
> basically understood but need to be written up and implemented.
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> http://mailman.mit.edu/mailman/listinfo/kerberos
>
More information about the Kerberos
mailing list