[5470] in Kerberos
Re: check passwords
daemon@ATHENA.MIT.EDU (Mark W. Eichin)
Thu Jul 6 18:08:45 1995
Date: Thu, 6 Jul 95 17:52:27 -0400
From: "Mark W. Eichin" <eichin@cygnus.com>
To: Sam Hartman <hartmans@MIT.EDU>
Cc: hfalken@x4u2.desy.de (Harald Falkenberg), kerberos@MIT.EDU
In-Reply-To: "[5450] in Kerberos"
> Assuming that your situation actually requires verification of
> the Kerberos password, why not just set KRBTKFILE to some dummy file,
> run kinit, check the exit status, then kdestroy the file? Be sure to
While that is better than some other approaches, it doesn't actually
verify the password. The attack is simple: spray the machine with tgt
responses encrypted in the key that the user is going to type. kinit
succeeds... since it doesn't try (and fail) to *use* the authenticator.
_Mark_ <eichin@cygnus.com>
Cygnus Support
Cygnus Network Security <network-security@cygnus.com>
http://www.cygnus.com/data/cns/
