Hi, This question is interesting and laeds me to another one: As KDC send a ticket to the client when trying to authenticate (something which should decrypted using user's password), is it possible to brute force this initial ticket locally? Mathias 2017-08-15 3:29 GMT+02:00 Andrew Bartlett via samba <samba at lists.samba.org>:> On Mon, 2017-08-14 at 20:26 -0400, Daniel Benoy via samba wrote: > > It does, thanks. > > > > So if the password is known, or the KDC compromised, then in > > principle > > MITM becomes possible? > > Yes. > > Andrew Bartlett > -- > Andrew Bartlett > https://samba.org/~abartlet/ > Authentication Developer, Samba Team https://samba.org > Samba Development and Support, Catalyst IT > https://catalyst.net.nz/services/samba > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On Fri, 2017-08-18 at 14:57 +0200, mathias dufresne wrote:> Hi, > > This question is interesting and laeds me to another one: > As KDC send a ticket to the client when trying to authenticate > (something which should decrypted using user's password), is it > possible to brute force this initial ticket locally?Yes. You can also brute force the ticket given to the server, if the server has a weak password (we hope not). FAST is a Kerberos extension designed to avoid that, by first authenticating the workstation to the KDC, and then using a tunnel crated with that stronger password for your user ticket exchange. Samba's Heimdal doesn't support that (modern versions do), but MIT does and this is part of the motivation for a move to MIT Kerberos. Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Hi, A bit late, I was in vacations, but thank you a lot for this detailed explanation Andrew. Greetings, mathias 2017-08-18 22:04 GMT+02:00 Andrew Bartlett <abartlet at samba.org>:> On Fri, 2017-08-18 at 14:57 +0200, mathias dufresne wrote: > > Hi, > > > > This question is interesting and laeds me to another one: > > As KDC send a ticket to the client when trying to authenticate > > (something which should decrypted using user's password), is it > > possible to brute force this initial ticket locally? > > Yes. You can also brute force the ticket given to the server, if the > server has a weak password (we hope not). > > FAST is a Kerberos extension designed to avoid that, by first > authenticating the workstation to the KDC, and then using a tunnel > crated with that stronger password for your user ticket exchange. > > Samba's Heimdal doesn't support that (modern versions do), but MIT does > and this is part of the motivation for a move to MIT Kerberos. > > Thanks, > > Andrew Bartlett > -- > Andrew Bartlett http://samba.org/~abartlet/ > Authentication Developer, Samba Team http://samba.org > Samba Developer, Catalyst IT http://catalyst.net.nz/ > services/samba > >