[248] in Kerberos
Re: get_ad_tkt
daemon@TELECOM.MIT.EDU (raeburn@ATHENA.MIT.EDU)
Sun Nov 1 23:58:53 1987
From: raeburn@ATHENA.MIT.EDU
To: Saltzer@ATHENA.MIT.EDU
Cc: tytso@ATHENA.MIT.EDU, kerberos@ATHENA.MIT.EDU
In-Reply-To: Jerome H. Saltzer's message of Sun, 1 Nov 87 23:29:10 EST <8711020429.AA23405@HERACLES.MIT.EDU>
One thing Ted mentioned which you missed is that the program may not
be talking to Kerberos, or that the ticket it has is actually valid;
in the interest of security (through obscurity, alas) I will not
describe a fairly simple mechanism which has been demonstrated to
bypass Kerberos authentication as it is implemented in certain
programs. (Being on the development team now, I hope to plug a few of
these.)
There is little excuse for the Kerberos library to fail to make checks
against this sort of thing. The checks can do no harm, and may plug
hole we haven't even seen yet.
-- Ken
