Implementing IETF Draft on DNS use in Kerberos
Derek Atkins
warlord at MIT.EDU
Thu Jul 18 19:38:01 EDT 2002
Will Fiveash <william.fiveash at sun.com> writes:
> I thought that the receipt of a valid TGT was proof for the client
> that it was dealing with a trusted KDC and thus the local realm lookup
> was valid. If this is true, then it doesn't seem necessary to get a
> service ticket in order to validate the local realm lookup. (I should
> point out that by client I mean client principal with an entry in the
> KDC's princ db.)
Receipt of the TGT only proves that the user knew the correct
password to decrypt the krb5 packet received from the network.
It says nothing about whether that is a "proper" TGT. I could
generate an 'AS_REP" message on my own with a password that I
know, and send it in response to AS_REQ messages of my own
choosing.
The login host should _use_ that TGT to obtain a service ticket
for itself in order to verify the TGT is a "real" TGT and not
a fake TGT as described above.
-derek
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord at MIT.EDU PGP key available
More information about the krbdev
mailing list