[16890] in Kerberos_V5_Development
Re: Obtaining a TGT without unrestricted access to password.
daemon@ATHENA.MIT.EDU (Russ Allbery)
Thu Jun 16 09:58:48 2011
From: Russ Allbery <rra@stanford.edu>
To: David Woodhouse <dwmw2@infradead.org>
In-Reply-To: <1308211159.3450.205.camel@i7.infradead.org> (David Woodhouse's
message of "Thu, 16 Jun 2011 08:59:18 +0100")
Date: Thu, 16 Jun 2011 06:58:43 -0700
Message-ID: <87wrglzxm4.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Cc: Guido =?utf-8?Q?G=C3=BCnther?= <agx@sigxcpu.org>, stefw@collabora.co.uk,
krbdev@mit.edu, gnome-keyring-list@gnome.org
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
David Woodhouse <dwmw2@infradead.org> writes:
> Renewable tickets are all very well, but they're typically only
> renewable for ten days or so. And they also need to be renewed every ten
> hours, which isn't always possible on a sporadically-connected device. A
> laptop or tablet might be turned off, or outside the corporate network,
> for longer than that period of time every night.
Both of these are local site policy decisions that are easily changed by
the KDC administrator. Rather than working around site policy by
intentionally bypassing it in user software, it would probably be better
to actually make the site policy match what it should be....
> Thanks. Stef asked the follow-up question that occurs to me: Is that
> *really* equivalent, in that I can reverse it and then learn the
> password and type it into other things?
> Or just 'password-equivalent' in that you can always obtain a TGT for
> the given principal with it, and not even for the same user in any
> *other* Kerberos realms?
Ah, yes, it's password-equivalent in that it can be used to obtain a TGT
for the given principal with it, but I think the current string2key
functions for all the crypto algorithms you actually want to use involve
the realm in the hash. Although I actually don't remember off-hand and
could well be wrong, so someone else on krbdev should correct me.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
