Re: Proof of authenticity of TGT - Kerberos

This is a discussion on Re: Proof of authenticity of TGT - Kerberos ; On Aug 22, 2006, at 5:50, Olfmatic wrote: > as my service is not part of the Kerberos realm, I am not able to > acquire a service ticket for it. My next thought is to use the TGT > ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Re: Proof of authenticity of TGT

  1. Re: Proof of authenticity of TGT

    On Aug 22, 2006, at 5:50, Olfmatic wrote:
    > as my service is not part of the Kerberos realm, I am not able to
    > acquire a service ticket for it. My next thought is to use the TGT
    > for authentication at the service.
    > How can this be done? Is the TGT signed with a KDC secret? How can
    > this be obtained from the KDC? If I had the KDC's master key, the
    > TGT is encrypted with, I could give it to my service so it can
    > proof the authenticity of the TGT passed to it by my client.


    It may be possible to extract the TGT key from the database, though
    it's not a great idea. If you've got that degree of access, why
    can't you add the service to the realm? And if you're going to use
    the TGT key for some random service, I hope there's nothing else in
    the realm you care about the security of, because if that server (or
    the machine it runs on) can be compromised, everything else in the
    realm would be vulnerable.

    Ken
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. AW: Proof of authenticity of TGT

    I understand your warnings. But it is not possible to add the service to the realm, because it is running on a host that is not in the same windows domain and not in the same kerberos realm. To be more precise, it is not running in a kerberos realm at all and thus is not really a kerberos service.
    So I have to find an own way to authenticate my client to my server. I thought of checking the TGT, the client obtains from the KDC.
    Can you tell me how to get the KDC's master key, the TGT is encrypted with? Or maybe you have another solution for my problem...

    Thank you for your help.


    -----Ursprungliche Nachricht-----
    Von: raeburn@MIT.EDU [mailto:raeburn@MIT.EDU]
    Gesendet: Dienstag, 22. August 2006 19:56
    An: Olfmatic
    Cc: kerberos@mit.edu
    Betreff: Re: Proof of authenticity of TGT


    On Aug 22, 2006, at 5:50, Olfmatic wrote:
    > as my service is not part of the Kerberos realm, I am not able to
    > acquire a service ticket for it. My next thought is to use the TGT
    > for authentication at the service.
    > How can this be done? Is the TGT signed with a KDC secret? How can
    > this be obtained from the KDC? If I had the KDC's master key, the
    > TGT is encrypted with, I could give it to my service so it can
    > proof the authenticity of the TGT passed to it by my client.


    It may be possible to extract the TGT key from the database, though
    it's not a great idea. If you've got that degree of access, why
    can't you add the service to the realm? And if you're going to use
    the TGT key for some random service, I hope there's nothing else in
    the realm you care about the security of, because if that server (or
    the machine it runs on) can be compromised, everything else in the
    realm would be vulnerable.

    Ken

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread