Migrating a Kerberos Realm
Ken Raeburn
raeburn at MIT.EDU
Fri Nov 3 11:20:30 EST 2006
On Nov 3, 2006, at 09:32, Douglas E. Engert wrote:
> But the salt is returned in the KRB_ERROR
> KRB5KDC_ERR_PREAUTH_REQUIRED(25)
> message on the PA_ENCTYPE_INFO in clear text so just having a
> different salt
> per principal should make it just as difficult for the attacker.
If the salt string is randomized on password changes, the attacker
would have to rebuild his list of keys (except for RC4). If it's
kept the same for a given user principal, he can keep using the same
precomputed list.
Ken
More information about the Kerberos
mailing list