Can you please help answer this one question (as I have not been able to find the answer in the documents)

Ken Hornstein kenh at cmf.nrl.navy.mil
Thu Jan 26 12:58:10 EST 2017 

>Can you please assist me with the following question as I have read a
>lot of Kerberos documentation and still cannot find the answer to one
>question in any of the documents (unless I missed it).
>
>"How does a trusting Kerberos TGS get it's 'session key' to the
>requester in the trusted domain"

FWIW, I personally prefer the terms "local" and "foreign" when talking about
cross-realm Kerberos, since that's relatively clear.

>I understand how the cross-realm TGT is encrypted with a shared secret
>that the KDCs in both realms (either end of the trust) share, OK so far.

Right.

>However, this cross-realm TGT is given to the requester via it's 'local'
>KDC (e.g. a KDC in their own realm).
>
>Therefore how does the TGS (ticket granting service) 'session key' for
>the KDC in the trusting realm (e.g. the other side of the trust) get
>it's 'session key' into a TGT issued by another KDC (e.g. the trusted
>KDC in this instance on the other side of the trust) This same 'session
>key' has to be supplied to the requester by way of encrypting it with
>the requester's long term key, which explains why it need to be the
>local KDC sending the reply as it knows the requester long term key.

You've got it slightly wrong there. Once you are issued a TGT (via
AS messages), further tickets are acquired via TGS messages, where the
KDC uses the session key from the TGT.

Cross-realm is just done via TGS messages.  Perhaps this will be clearer:

- User "foo" gets TGT "krbtgt/LOCAL at LOCAL".  Session key encrypted via user's
  long-term secret (password) and long-term key for krbtgt/LOCAL at LOCAL (AS
  exchange).
- User "foo" gets ticket "krbtgt/LOCAL at REMOTE".  Session key encrypted both
  using the long-term secret for "krbtgt/LOCAL at REMOTE" (which both LOCAL
  and REMOTE KDCs know) and the session key from that was in
  "krbtgt/LOCAL at LOCAL".  Note: the user is talking to KDC LOCAL, via a
  TGS exchange.
- User foo gets a ticket for "service/remote.host at REMOTE".  Session key
  is encrypted with session key from krbtgt/LOCAL at REMOTE and service long-term
  key.  User talks to KDC REMOTE for this (TGS exchange).

--Ken

More information about the Kerberos mailing list