OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Kerberos and pre-auth


A recent email from a Kerberos discussion group - it mentions the need
for pre-auth so I thought you might be interested.

Tim.

-----Original Message-----
From: kerberos-bounces@MIT.EDU [mailto:kerberos-bounces@MIT.EDU] On
Behalf Of Jeffrey Altman
Sent: 04 June 2004 13:39
To: kerberos@MIT.EDU
Subject: Re: about step-by-step guide to Kerberos 5 Interoperability

Lara Adianto wrote:
> 1. ksetup /setmachpassword password
> If we don't do this, the user can't login although on
> the KDC site, it seems that AS-REQ is being granted.
> Why ?
> 
> 2. Why do I need to add the user in the local machine
> (windows) in order for it to be able to authenticate
> to MIT KDC, although actually the username (or the
> principal in this case) is already added in the KDC ?

If pre-authentication is not being used it is possible
for anyone to obtain a TGT for any principal, all you
must do is ask the KDC for one and it will send it.
The TGT is encrypted in the long term key of the principal
and it is assumed that only the individual that knows
that long term key can decrypt it.  (naive assumption
which is why pre-authentication should be required.)

The machine you are logging into does not know whether
or not pre-authentication was used to obtain the TGT.
The user who obtains the TGT must authenticate herself
to the machine.  This requires an AS_REQ exchange in
order to obtain a service ticket authenticating the
user principal to the machine.  Simply obtaining the
Service Ticket does not prove authentication.  The
machine must be able to decrypt it and perform a
mutual authentication proof using the knowledge
provided within.

the ksetup set machine password command performs the
windows equivalent of providing a keytab on Unix.  It
gives the machine access to its long term key so that
it is capable of decrypting the service ticket the user
will present during an authentication at login.

Jeffrey Altman
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos




[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]