[36205] in Kerberos
Re: Regarding long term TGT
daemon@ATHENA.MIT.EDU (Brandon Allbery)
Fri Jun 13 09:56:08 2014
From: Brandon Allbery <ballbery@sinenomine.net>
To: "kerberos@mit.edu" <kerberos@mit.edu>
Date: Fri, 13 Jun 2014 13:55:53 +0000
Message-ID: <1402667753.36864.5.camel@vikktakkht.oh3.sinenomine.net>
In-Reply-To: <CACtQqm9P_m85QS2yWMEMGs=2SPZ42Vb7HHGrWxesPXLfFJRNhg@mail.gmail.com>
Content-Language: en-US
Content-ID: <63C479EE7DFC784B9E6DF10AF8669228@mex05.mlsrvr.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Fri, 2014-06-13 at 17:21 +0530, Manish Gupta wrote:
> kerberos implementation in my platform take cares of secure storage of
> kerberos credential cache. it is protected from any unauthorized access.
>
> In this case is there any harm in using long term TGT, like TGT valid for a
> month?
>
> I cannot understand how it can be exploited if TGT is long term.
There's at least one case you're not thinking of. That case is when
*your own* access is not authorized: your account was disabled for
whatever reason. Your tickets will continue to work in that case until
they expire.
A practical application of this would be a guest account, where the user
continues to have access over e.g. wifi after their account is disabled,
and as long as their current TGT is valid they continue to be able to
use it. (In fact, I believe there is currently a bit of a hole here.)
--
brandon s allbery kf8nh sine nomine associates
allbery.b@gmail.com ballbery@sinenomine.net
unix, openafs, kerberos, infrastructure, xmonad http://sinenomine.net
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
