[3667] in Kerberos
Re: S/KEY integrated with Kerberos?
daemon@ATHENA.MIT.EDU (Bill Sommerfeld)
Mon Aug 8 13:35:20 1994
To: hendrick@ctron.com
Cc: bcn@isi.edu, kerberos@MIT.EDU
In-Reply-To: Your message of "Mon, 8 Aug 1994 12:32:19 -0400"
Date: Mon, 08 Aug 1994 13:24:24 -0400
From: Bill Sommerfeld <sommerfeld@apollo.hp.com>
> P. S. Has anyone thought about how to keep the sequence numbers in-sync across
> multiple KDCs ??
Short answer: use the S/Key "seed" with a different seed for each KDC
replica. (This sort of punts the whole question, but it avoids
needing to update state in real time, since you don't want to actually
issue the new ticket to the user until the S/Key database has been
updated (to avoid obvious replay attacks).
This does require that:
a) you register with all replicas (or at least a significant
subset of them), but this can be handled in the front-end program
you'd need anyway.
b) the set of KDC replicas is fairly static.
but I don't see either of these as a serious constraint..
- Bill
