Obtaining a TGT without unrestricted access to password.
Russ Allbery
rra at stanford.edu
Thu Jun 16 09:58:43 EDT 2011
David Woodhouse <dwmw2 at infradead.org> writes:
> Renewable tickets are all very well, but they're typically only
> renewable for ten days or so. And they also need to be renewed every ten
> hours, which isn't always possible on a sporadically-connected device. A
> laptop or tablet might be turned off, or outside the corporate network,
> for longer than that period of time every night.
Both of these are local site policy decisions that are easily changed by
the KDC administrator. Rather than working around site policy by
intentionally bypassing it in user software, it would probably be better
to actually make the site policy match what it should be....
> Thanks. Stef asked the follow-up question that occurs to me: Is that
> *really* equivalent, in that I can reverse it and then learn the
> password and type it into other things?
> Or just 'password-equivalent' in that you can always obtain a TGT for
> the given principal with it, and not even for the same user in any
> *other* Kerberos realms?
Ah, yes, it's password-equivalent in that it can be used to obtain a TGT
for the given principal with it, but I think the current string2key
functions for all the crypto algorithms you actually want to use involve
the realm in the hash. Although I actually don't remember off-hand and
could well be wrong, so someone else on krbdev should correct me.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the krbdev
mailing list