[24103] in Kerberos
Re: Offline password attacks on AS-REQ
daemon@ATHENA.MIT.EDU (Jeffrey Altman)
Thu Jun 16 18:42:48 2005
From: Jeffrey Altman <jaltman2@nyc.rr.com>
Message-ID: <GZmse.10061$jU5.2642150@twister.nyc.rr.com>
Date: Thu, 16 Jun 2005 22:23:34 GMT
To: kerberos@mit.edu
Errors-To: kerberos-bounces@mit.edu
brian.joh@comcast.net wrote:
> Tunneling sounds like the best option.
>
> We have over 500 Windows 2000 and Windows 2003 domain
> controllers (KDCs in Active Directory), that we don't want to have
> to modify or install new software on. These domain controllers
> (KDCs) do have SSL properly configured, so I suppose, we could
> tunnel the AS-REQ and AS-REP inside of SSL. I'll try this unless
> anyone knows of a better way, keeping in mind no major changes
> can be made to these Domain Controllers.
>
> Thanks!
>
I'm not sure how you would force all AS-REQ and AS-REP across an
SSL tunnel. If you are this concerned, you should probably require
IPSec when talking to your Domain controllers.
Jeffrey Altman
--
-----------------
This e-mail account is not read on a regular basis.
Please send private responses to jaltman at mit dot edu
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
