Implementing IETF Draft on DNS use in Kerberos

Derek Atkins warlord at MIT.EDU
Thu Jul 18 19:38:01 EDT 2002

Will Fiveash <william.fiveash at> writes:

> I thought that the receipt of a valid TGT was proof for the client
> that it was dealing with a trusted KDC and thus the local realm lookup
> was valid.  If this is true, then it doesn't seem necessary to get a
> service ticket in order to validate the local realm lookup.  (I should
> point out that by client I mean client principal with an entry in the
> KDC's princ db.)

Receipt of the TGT only proves that the user knew the correct
password to decrypt the krb5 packet received from the network.
It says nothing about whether that is a "proper" TGT.  I could
generate an 'AS_REP" message on my own with a password that I
know, and send it in response to AS_REQ messages of my own

The login host should _use_ that TGT to obtain a service ticket
for itself in order to verify the TGT is a "real" TGT and not
a fake TGT as described above.

       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL:    PP-ASEL-IA     N1NWH
       warlord at MIT.EDU                        PGP key available

More information about the krbdev mailing list