[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SPNEGO, gssapi examples, keytab, cracking passwords, ...

Suffice it to say that I do not have all the answers :)

On 10/8/05, Michael B Allen <mba2000@ioplex.com> wrote:
> 6) What is Vno in the ktutil list output?

The kvno (key version number) increases with every password/key
change. You'll probably want to make sure your keytabs keep the
correct key and kvno when talking to the KDC. Otherwise, things are
likely out of sync.

> 7) Is there a good document that describes how principals are to be
> managed? I'm confused as to what principals need to be exported to
> the keytab.

The keytab is primarily for automated purposes of authentication. Such
as servers or services that need to authenticate themselves or deal
with session keys dealt out by the KDC. This is one of the reasons why
you should keep that file in a secure location (and be careful about
its backups).

> 8) If a ticket is encrypted with the principal's secret key, then
> couldn't I get a ticket for any user and do an offline dictionary attack
> on the password?

To prevent such guessing, you have the option of deploying
pre-authentication. In that way, the KDC only sends out a TGT to users
that provide proof of their identity with the request. Usually, this
means that the client sends along a timestamp encrypted with the
principal's secret key, which the KDC kan decrypt for verification (as
it has that key on record).

Once the pre-authentication data is succesfully decrypted, the KDC
sends out a TGT. This is a Kerberos 5 feature; it's not present in
Kerberos 4. You can a the pre-authentication attribute to your
principals or mandate it for your realm in the configuration file.

Hope this helps,


If you don't know where you're going, any road will get you there.