[24562] in Kerberos

home help back first fref pref prev next nref lref last post

Re: KDC failover

daemon@ATHENA.MIT.EDU (Jeffrey Hutzelman)
Wed Aug 31 00:14:05 2005

Date: Wed, 31 Aug 2005 00:13:10 -0400
From: Jeffrey Hutzelman <jhutz@cmu.edu>
To: Jeff Aitken <jaitken@aitken.com>, kerberos@mit.edu
Message-ID: <400F12D35BD4013050795CB8@bistromath.pc.cs.cmu.edu>
In-Reply-To: <20050831035916.GA67503@eagle.aitken.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Errors-To: kerberos-bounces@mit.edu



On Tuesday, August 30, 2005 23:59:16 -0400 Jeff Aitken <jaitken@aitken.com> 
wrote:

> Assuming I've got that part right, here's the part that's got me
> confused.  In step #2, the AS generates a session key that will be
> used by the client during all future communication with the TGS;
> i.e., this is the key with which the client will encrypt future
> service ticket requests.  However, if the KDC that granted the TGT
> to the client fails, and the client sends a service ticket request
> to a different KDC, how does that second KDC validate the client?
> Unless I'm missing something, the second KDC doesn't have a copy of
> the session key that the client uses to encrypt the request, so he
> shouldn't be able to decrypt it successfully.

The TGT is just like any other ticket; it contains information encrypted in 
the service's secret key, including a session key.  The TGS, then, is a 
single service potentially distributed over multiple machines (KDC's). 
Each machine providing that service has a copy of the service key, and thus 
can decrypt the ticket, which is provided by the client with every request.

Except for a short-lived replay cache, the KDC itself is essentially 
stateless.  It doesn't remember anything about tickets it has issued.

-- Jeffrey T. Hutzelman (N3NHS) <jhutz+@cmu.edu>
   Sr. Research Systems Programmer
   School of Computer Science - Research Computing Facility
   Carnegie Mellon University - Pittsburgh, PA

________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

home help back first fref pref prev next nref lref last post