Obtaining a TGT without unrestricted access to password.

David Woodhouse dwmw2 at infradead.org
Thu Jun 16 10:49:16 EDT 2011 

On Thu, 2011-06-16 at 06:56 -0700, Russ Allbery wrote:
> 
> The result of a Kerberos authentication is a Kerberos
> ticket-granting-ticket, which has a lifetime and a renewable lifetime.  As
> long as you do so within the lifetime window, you can perform another
> authentication to the KDC using the ticket-granting-ticket, 

For example:

$ klist
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: dwoodhou at GER.CORP.INTEL.COM

Valid starting     Expires            Service principal
06/16/11 10:47:56  06/16/11 20:48:00  krbtgt/GER.CORP.INTEL.COM at GER.CORP.INTEL.COM
	renew until 06/23/11 10:47:56
$ kinit -R # Look ma! No password!
$ klist
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: dwoodhou at GER.CORP.INTEL.COM

Valid starting     Expires            Service principal
06/16/11 15:39:39  06/17/11 01:39:43  krbtgt/GER.CORP.INTEL.COM at GER.CORP.INTEL.COM
	renew until 06/23/11 10:47:56

> So it's generally superior to storing the user's password in memory in
> every respect except when the user intentionally wants to not follow
> site policy as expressed in the renewable ticket lifetime.
> (Unfortunately, that last case is common, in part because a lot of
> sites don't realize they *have* set a policy.)

AFAICT most Windows sites *don't* set a policy. They just use the
standard Windows default of 10-hour/10-day tickets — because it doesn't
really make any significant difference to Windows clients, does it?

I only boot a Windows virtual machine occasionally these days, so I
don't remember the last time I had it running for more than 10 days at a
time. But I'm fairly sure it didn't ask for the password again after
that time was up. And I'm fairly sure it didn't demand to be connected
to the corporate network at least once every ten hours, so that it could
prevent its ticket from expiring. It just gets a new one when it needs
to.

Windows clients certainly don't force their users to think "oh, I'm
about to do something that's going to need to authenticate to the
network, so I'd best run kinit first". It "just works" there, obtaining
a new TGT when necessary and asking the user for their password only
when it doesn't actually match the one they logged in with.

-- 
dwmw2

More information about the krbdev mailing list