Simultaneous TGT requests for the same principal
Ben H
bhendin at gmail.com
Mon Feb 24 14:17:13 EST 2014
I'm working on an issue that involves authentication between various unix
distros and windows KDC.
Right now the issue is a bit esoteric (i.e. I don't have a lot of hard data
to deliver right now) - but I was hoping I could get some guidance as to
what might be the root issue.
I have found an old comment here that are the only fruits of my search to
find a similar problem (
http://comments.gmane.org/gmane.comp.encryption.kerberos.devel/3877), but
despite being a very old post, I'm not sure if it is germane to my point,
as I am not concerned as much here about auditing, but simply
authentication functionality.
I would like to know if there are any known limitations in modern kerb
implementations that would cause failures of TGT tickets to be issued if
the same principal was requesting them simultaneously.
The simplest example would be a parallel execution of a kinit across
multiple systems. Is there a point where these TGT exchanges can't be
properly tracked, and/or possibly considered as a replay attack by the KDC?
If no - why not? What is the data structure being used to prevent this?
If so - what are the limits? e.g. How many simultaneous attempts might
cause this? What time skew would these attempts have to fall within to be
affected? I assume this issue (if it exists) would only occur if all
authentication attempts were happening against the same KDC.
Preliminary data would indicate that this has been an issue in some of our
tests, and that small delays in the parallel execution (a few milliseconds)
eliminated the failed attempts.
TIA for any information that might lead me down the right path.
More information about the Kerberos
mailing list