Offline password attacks on AS-REQ

peter huang peter.huang at hp.com
Thu Jun 16 15:48:16 EDT 2005


brian.joh at comcast.net wrote:
> Tunneling sounds like the best option.
> 
> We have over 500 Windows 2000 and Windows 2003 domain
> controllers (KDCs in Active Directory), that we don't want to have
> to modify or install new software on.  These domain controllers
> (KDCs) do have SSL properly configured, so I suppose, we could
> tunnel the AS-REQ and AS-REP inside of SSL.  I'll try this unless
> anyone knows of a better way, keeping in mind no major changes
> can be made to these Domain Controllers.
> 
> Thanks!
> 
so how would one change the KDC to support SSL?  the current kinit 
process only talk to udp/tcp 88,  is there other proposals to do kinit?

-peter


More information about the Kerberos mailing list