Offline password attacks on AS-REQ

brian.joh@comcast.net brian.joh at comcast.net
Wed Jun 15 10:04:19 EDT 2005


Hi,

In my company, we're pitching a Kerberos-based solution to authenticate tens of thousands of Linux users to Active Directory.  To increase the likelihood of approval by the higher-ups, we really need to eliminate all perceived security holes.  

Although preauthentication helps some, Kerberos version 5 is susceptible to offline, brute force, password attacks on the initial AS-REQ.  I saw some discussion about this from a few years ago in the archives, but nothing recently.  Is there a solution to this issue yet?  If not, what progress has been made, and what direction is being taken?  I do have some familiarity with MIT Kerberos source code internals, having interfaced some the library's low-level profile and DNS SRV functions to hack out support for Microsoft's extended version of DNS SRV.   Depending on how big the task is, I might be able to spend some time at work to code a solution.

Thanks.

Brian 


More information about the Kerberos mailing list