[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Kerberos and pre-auth
A recent email from a Kerberos discussion group - it mentions the need for pre-auth so I thought you might be interested. Tim. -----Original Message----- From: kerberos-bounces@MIT.EDU [mailto:kerberos-bounces@MIT.EDU] On Behalf Of Jeffrey Altman Sent: 04 June 2004 13:39 To: kerberos@MIT.EDU Subject: Re: about step-by-step guide to Kerberos 5 Interoperability Lara Adianto wrote: > 1. ksetup /setmachpassword password > If we don't do this, the user can't login although on > the KDC site, it seems that AS-REQ is being granted. > Why ? > > 2. Why do I need to add the user in the local machine > (windows) in order for it to be able to authenticate > to MIT KDC, although actually the username (or the > principal in this case) is already added in the KDC ? If pre-authentication is not being used it is possible for anyone to obtain a TGT for any principal, all you must do is ask the KDC for one and it will send it. The TGT is encrypted in the long term key of the principal and it is assumed that only the individual that knows that long term key can decrypt it. (naive assumption which is why pre-authentication should be required.) The machine you are logging into does not know whether or not pre-authentication was used to obtain the TGT. The user who obtains the TGT must authenticate herself to the machine. This requires an AS_REQ exchange in order to obtain a service ticket authenticating the user principal to the machine. Simply obtaining the Service Ticket does not prove authentication. The machine must be able to decrypt it and perform a mutual authentication proof using the knowledge provided within. the ksetup set machine password command performs the windows equivalent of providing a keytab on Unix. It gives the machine access to its long term key so that it is capable of decrypting the service ticket the user will present during an authentication at login. Jeffrey Altman ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]