Thanks: GSS Server without secret key?
Douglas E. Engert
deengert at anl.gov
Fri Nov 7 10:07:26 EST 2003
Tim Alsop wrote:
>
> Oliver,
>
> The design seems to be asymmetric in that the need to store a secret long-term key at the client has been avoided (the client only needs to store its TGT), but a secret long-term key at the server is still necessary. I am afraid our customer will complain about this ...
If you customers are using a Windows domain, and login to the workstation using the domain,
the workstation has a long term secret, setup by the AD administrator at some time.
Microsoft stores the machine password and derives a key from this rather then just storing
a key. AD uses Kerberos under the covers.
>
> This is not the case if you use user-to-user GSS since the server uses a secret derived from a userid/password logon. Please read my earlier reply on this subject.
>
> Tim.
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list