[16896] in Kerberos_V5_Development
Re: Obtaining a TGT without unrestricted access to password.
daemon@ATHENA.MIT.EDU (Luke Howard)
Thu Jun 16 11:20:15 2011
Mime-Version: 1.0 (Apple Message framework v1084)
From: Luke Howard <lukeh@padl.com>
In-Reply-To: <1308237019.3182.98.camel@willson.li.ssimo.org>
Date: Thu, 16 Jun 2011 15:19:49 +0000
Message-Id: <48AD9A71-7467-40DF-BA51-E824CB23729A@padl.com>
To: Simo Sorce <simo@redhat.com>
Cc: Russ Allbery <rra@stanford.edu>, guido@pch.MIT.EDU,
=?iso-8859-1?Q?G=FCnther?= <agx@sigxcpu.org>,
David Woodhouse <dwmw2@infradead.org>, gnome-keyring-list@gnome.org,
krbdev@mit.edu, Stef Walter <stefw@collabora.co.uk>
Content-Type: text/plain; charset="windows-1252"
Errors-To: krbdev-bounces@mit.edu
Content-Transfer-Encoding: 8bit
AFAIK Windows caches the MD4 hash for NTLM, so it can always get rc4-hmac creds -- whether it does this I don't know.
-- Luke
On 16/06/2011, at 3:10 PM, Simo Sorce wrote:
> On Thu, 2011-06-16 at 15:49 +0100, David Woodhouse wrote:
>> AFAICT most Windows sites *don't* set a policy. They just use the
>> standard Windows default of 10-hour/10-day tickets — because it
>> doesn't
>> really make any significant difference to Windows clients, does it?
>
> They don't really need to because they can obtain a new ticket from
> scratch every time you unlock the screensaver (to which you give your
> password), which is what we do with sssd as well as the password goes
> down the pipe through pam.
>
> So the case where a 10h/10d policy is not enough is extremely rare.
>
> Simo.
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
> _______________________________________________
> krbdev mailing list krbdev@mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
--
Luke Howard / lukeh@padl.com
www.padl.com / www.lukehoward.com
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
