[6203] in Kerberos
Re: K4 Protections against password attacks?
daemon@ATHENA.MIT.EDU (Jonathan Kamens)
Fri Nov 10 05:13:05 1995
To: kerberos@MIT.EDU
Date: 10 Nov 1995 09:54:36 GMT
From: jik@jik.datasrv.co.il (Jonathan Kamens)
In article <47uj0v$d5n@agate.berkeley.edu>, mikef@ack.berkeley.edu (Mike Friedman) writes:
|> We're running Cygnus K4. We'd like a way for the KDC to (try to) detect
|> password-guessing attacks. In particular: large numbers of TGT requests
|> at very short intervals for the same principal and from the same host.
That won't do you any good, because an attacker doesn't *need* to make "large
numbers of TGT requests at very short intervals for the same principal" in
order to attack that principal's password.
All the attacker has to do is slightly modify kinit and the krb4 libraries to
come up with a modified kinit client which tries to decrypt the same TGT over
and over again with different passwords, until one of them works. In fact,
one of my coworkers has a program which does this, and I'm sure that other
people have done it as well. Preventing this type of attack is one of the
primary purposes of the pre-authentication functionality in Kerberos 5.
|> Also, what about the KDC enforcing password standards (also configurable)?
I believe the last MIT V4 release has hooks for this. I forget whether it
does just dictionary checks or actually does password quality checks as well,
but even if it just does a dictionary check, you could find the place where it
does that and graft in other quality checks as well.
Switch to V5. You'll be glad you did :-).
