Security issues with not transferring the password

[Fredrik Tolf]

Hi all!

I'm relatively new to Kerberos - I've been using it for a couple of
months, and I really like its ideas and all about SSO etc.

However, I've been a bit perplexed about this thing about not
transferring the password over the network for receiving the TGT. Of
course, I realize the advantages of not having the password
transferred over the network, be it encrypted or not, but doesn't it
actually make things even worse?

The way I've understood it (please correct me if I'm wrong), is that
the KDC encrypts the TGT with a symmetrical cipher (3DES?) using the
user's password as the key, right? In that case, couldn't a hostile
just obtain an encrypted TGT and brute-force the password from it? I
mean, passwords aren't usually even close to 128 bits long, and
usually consists of a rather narrow subset of characters.

It seems to me that it would be more secure to have the KDC distribute
TGTs over an encrypted TCP channel, where the client actually sends
its password for verification, so that the KDC can ratelimit the
number of authentication attempts.

I've only found small bits and pieces about preauthentication, and
from what I've read, it seems that the client actually sends an
encrypted version of the user's password over the network, which seems
to cancel out the beneficial effects of transferring an encrypted TGT.

I'm guessing that I'm wrong about this somehow, considering how mature
Kerberos is, but would you please help me see where I'm missing the
point?

Fredrik Tolf