canonicalize, as_req, pa_svr_referral, pa_server_referral

Sam Hartman hartmans at
Thu Dec 18 17:38:01 EST 2008

Luke, Ken, Tom and I are discussing this on Jabber.

Can you describe in more detail the netbios realm name situation?

It seems like several attacks are possible and I'd like to understand
why they are of no concern to windows or to what extent they exist.

In the password server case, if I can change the service you are connecting to  so that it is  one that I have compromised, it semes I'm likely to learn your new password.
What protects against this?

In the TGS case--that is AS to get a TGT--it seems like I can do some
damage by redirecting you to the wrong realm.  If you're using pkinit,
I can give you a ticket even if I don't know your password.  Then I
can direct you to fake servers of my choice.  All I need is a KDC
certificate that you are willing to trust.  So, for environments like
MIT, where we have realms like that are known to run at
very low assurance, if clients are willing to talk to these realms at
all, it seems problematic.

Even without pkinit, it seems like you can run into some problems if
you share a password.

More information about the krbdev mailing list