Regarding long term TGT

Brandon Allbery ballbery at sinenomine.net
Fri Jun 13 09:55:53 EDT 2014


On Fri, 2014-06-13 at 17:21 +0530, Manish Gupta wrote:
> kerberos implementation in my platform take cares of secure storage of
> kerberos credential cache. it is protected from any unauthorized access.
> 
> In this case is there any harm in using long term TGT, like TGT valid for a
> month?
> 
> I cannot understand how it can be exploited if TGT is long term.

There's at least one case you're not thinking of. That case is when
*your own* access is not authorized: your account was disabled for
whatever reason. Your tickets will continue to work in that case until
they expire.

A practical application of this would be a guest account, where the user
continues to have access over e.g. wifi after their account is disabled,
and as long as their current TGT is valid they continue to be able to
use it. (In fact, I believe there is currently a bit of a hole here.)

-- 
brandon s allbery kf8nh                           sine nomine associates
allbery.b at gmail.com                              ballbery at sinenomine.net
unix, openafs, kerberos, infrastructure, xmonad    http://sinenomine.net




More information about the Kerberos mailing list