Replaying and server side caching.
Darren Reed (OSE)
darrenr at optimation.com.au
Wed Apr 9 02:13:19 EDT 2003
Whilst testing the KDC with replaying TGT requests, it
became apparent that if the cache was enabled then a
replayed TGT request would be answered. This seemed
dubious in terms of security, but is it deliberate ?
I was expecting that turning on the cache would enable
detection of replayed tickets, resulting in an error
message being sent back as opposed to a positive ack.
Unfortunately I've not been back to test it with the
cache disabled, rather, I patched the KDC to return
an error if it found a TGT request in its cache.
Have I misunderstood how the cache in the KDC is meant
to be used/work or is this an actual limitation with
the current implementation that's recognised and
put up with for various reasons?
More information about the krbdev