Behavior change of krb5_rd_req: what error to return

Nicolas Williams Nicolas.Williams at
Wed Dec 3 12:44:36 EST 2008

On Wed, Dec 03, 2008 at 11:12:43AM -0600, Nicolas Williams wrote:
> Note that having aliases which share the same longterm key as another
> principal means that an attacker can undetectably change the sname in
> the unauthenticated plain-text part of the Ticket.  (The sname is not
> repeated inside the Ticket nor in the Authenticator.)  I'm not sure that
> such an attack is terribly interesting, UNLESS the service is going to
> make authorization decisions according to the name by which it was
> called.

Oh, of course, if we're talking about case and normalization differences
then never mind.


More information about the krbdev mailing list