Architectural Question ...

Ken Raeburn raeburn at MIT.EDU
Thu Feb 6 09:45:34 EST 2003

ttcowan at (Tony Cowan) writes:
> Someone tells me they've been sniffing and found that one particular
> implementation does in fact hit the KDC to validate the ticket.
> I wonder if it's actually hitting the KDC for some other purpose.
> Getting further information perhaps .. I guess the "session" key
> should be in the original message, so it shouldn't need to fetch that
> ... I wonder what else it might be.

Perhaps they were thinking of the login verification process?  At
login time, you get a ticket-granting ticket, which the local machine
has no way to validated directly because it doesn't have the key for
the ticket-granting service.  So it contacts the KDC to get a ticket
for some local service (say, the remote-login service
"host/"), decrypts that, and uses that as confirmation that
the original password supplied was valid.


More information about the Kerberos mailing list