Proof of authenticity of TGT

Ken Raeburn raeburn at MIT.EDU
Tue Aug 22 13:55:53 EDT 2006

On Aug 22, 2006, at 5:50, Olfmatic wrote:
> as my service is not part of the Kerberos realm, I am not able to  
> acquire a service ticket for it. My next thought is to use the TGT  
> for authentication at the service.
> How can this be done? Is the TGT signed with a KDC secret? How can  
> this be obtained from the KDC? If I had the KDC's master key, the  
> TGT is encrypted with, I could give it to my service so it can  
> proof the authenticity of the TGT passed to it by my client.

It may be possible to extract the TGT key from the database, though  
it's not a great idea.  If you've got that degree of access, why  
can't you add the service to the realm?  And if you're going to use  
the TGT key for some random service, I hope there's nothing else in  
the realm you care about the security of, because if that server (or  
the machine it runs on) can be compromised, everything else in the  
realm would be vulnerable.


More information about the Kerberos mailing list