[1005] in Kerberos
Re: Why is initial user authentication done the way it is?
daemon@ATHENA.MIT.EDU (Bill Sommerfeld)
Thu Jun 14 22:04:07 1990
Date: Thu, 14 Jun 90 21:26:25 -0400
From: Bill Sommerfeld <wesommer@ATHENA.MIT.EDU>
To: jik@PIT-MANAGER.MIT.EDU ("Jonathan I. Kamens")
Cc: kerberos@ATHENA.MIT.EDU
In-Reply-To: jik@PIT-MANAGER.MIT.EDU's message of 14 Jun 90 23:37:48 GMT
Jon claims in his revised protocol that:
there is no way to get an encrypted ticket to bang on without
first proving to the server that you are who you claim to be.
Sure there is. All I have to do is get a valid TGT, and then ask the
KDC for a ticket to jik@ATHENA.MIT.EDU. The response will include a
"ticket to jik", which will contain my name (and other things)
encrypted in your key. I can then bang on the ticket all I want in
the privacy of my own CPU.
Remember that in Kerberos there is no difference between users and
servers.
- Bill
