[7184] in Kerberos
Re: rkinit
daemon@ATHENA.MIT.EDU (Derrick J. Brashear)
Wed May 1 19:39:50 1996
To: kerberos@MIT.EDU
Date: Wed, 1 May 1996 18:13:39 -0400
From: "Derrick J. Brashear" <shadow+@andrew.cmu.edu>
Excerpts from netnews.comp.protocols.kerberos: 1-May-96 Re: rkinit by
Roland Schemers@leland.S
> That is correct. The AFS KDC does not check the IP address in the TGT, so
> it is possible to forward them. Some people might consider this a bug
> or a security hole, I'd call it a feature ;-)
Indeed; We have a telnet and an ftp implementation which take advantage
of this to pass authentication (over an encrypted connection of course)
-D
