[1390] in Kerberos
Re: Verifying passwords without getting new tickets
daemon@ATHENA.MIT.EDU (Chris Riddick)
Fri May 17 08:13:51 1991
From: Chris Riddick <cjr@simpact.COM>
To: kctreima@eos.ncsu.edu
Cc: cjr@simpact.COM, kerberos@ATHENA.MIT.EDU
Date: Fri, 17 May 91 7:30:53 EDT
You asked if there was a way for Kerberos to be used to authenticate a
principal without geeting a new TGT.
First, I'm not sure why you want to do that. The purpose of Kerberos is to
provide that authentication for you. If you are asking the principal to
authenticate himself, then you really need to go through the TGT protocol
again.
Second, the point of the TGT is that it is to be used for future service
ticket requests instead of having to reauthenticate with your password each
time you want another ticket. The benefits are twofold: exposure of your
password is minimized and the user only need login to the kerberos server once
during the lifetime of the TGT.
If what you are really trying to do is to provide a periodic verification of
the identity of the user at the workstation, then you really should limit the
lifetime of the TGT to that of the authentication period and force the user
to get a new TGT.
The password is an integral part of the Kerberos authentication protocol.
It is used to decrypt the packet with the TGT returned by the Kerberos
server. The protocol is set up to remove the need to send the password over
the wire. Not even an encrypted password goes over the wire. Rather, a
complete encrypted message is sent. This removes the threat of dictionary
attacks against the password itself.
Chris Riddick
Chris Riddick
UUNET: uunet!nss1!cjr
Internet: nss1!cjr@UUNET.UU.NET
USSnail: Simpact Associates, Inc.
12007 Sunrise Valley Drive
Reston, Virginia 22091
Phone: 703-758-0190 x2156
FAX: 703-758-0941
