Proof of authenticity of TGT
Ken Raeburn
raeburn at MIT.EDU
Tue Aug 22 13:55:53 EDT 2006
On Aug 22, 2006, at 5:50, Olfmatic wrote:
> as my service is not part of the Kerberos realm, I am not able to
> acquire a service ticket for it. My next thought is to use the TGT
> for authentication at the service.
> How can this be done? Is the TGT signed with a KDC secret? How can
> this be obtained from the KDC? If I had the KDC's master key, the
> TGT is encrypted with, I could give it to my service so it can
> proof the authenticity of the TGT passed to it by my client.
It may be possible to extract the TGT key from the database, though
it's not a great idea. If you've got that degree of access, why
can't you add the service to the realm? And if you're going to use
the TGT key for some random service, I hope there's nothing else in
the realm you care about the security of, because if that server (or
the machine it runs on) can be compromised, everything else in the
realm would be vulnerable.
Ken
More information about the Kerberos
mailing list