Obtaining a TGT without unrestricted access to password.
Russ Allbery
rra at stanford.edu
Thu Jun 16 09:56:14 EDT 2011
Stef Walter <stefw at collabora.co.uk> writes:
> On 06/16/2011 02:28 AM, Russ Allbery wrote:
>> Why don't you just obtain renewable tickets and renew them instead of
>> storing the password in memory?
> That sounds interesting. Do you have pointers to how this works? I'm not
> that familiar with Kerberos, so please bear with me :)
The result of a Kerberos authentication is a Kerberos
ticket-granting-ticket, which has a lifetime and a renewable lifetime. As
long as you do so within the lifetime window, you can perform another
authentication to the KDC using the ticket-granting-ticket, without the
password, and ask for a renewed ticket, which will hand you back a new
ticket with a longer lifetime, but with a renewable lifetime that still
expires at the same time as the first one.
In other words, renewing the ticket-granting-ticket can be done without
knowledge of the password and is just like reusing the password, except:
1. The total length of time that a person can renew their credentials
without demonstrating knowledge of the key is under the control of the
local site KDC administrator, where you probably want it to be.
2. The local site KDC administrator can intervene if necessary and cause
the KDC to refuse to renew tickets for that user (if, for example,
there's some reason to believe the renewable ticket was compromised).
So it's generally superior to storing the user's password in memory in
every respect except when the user intentionally wants to not follow site
policy as expressed in the renewable ticket lifetime. (Unfortunately,
that last case is common, in part because a lot of sites don't realize
they *have* set a policy.)
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the krbdev
mailing list