As an aside: On 8/26/2014 1:04 PM, Derek Atkins wrote: > You (or someone) also brought up Kerberos. Kerberos *IS* a key escrow > system. If an attacker breaks into your KDC they literally have all the > keys to your kingdom. Not only can they impersonate anyone, they can go
I operate a Kerberos realm. I am not able to tell my users their passwords. I don't have them. Kerberos stores one-way hashes of users' passwords. I could brute force the database with sufficient time but that is steps removed from having the actual keys in my hands. A bad actor can do quite a bit with a compromised KDC but these things are well known. Steps to prevent compromise are well documented as are steps to identify compromised KDCs and mitigate the damage that they can do. -- Rich P. _______________________________________________ Discuss mailing list [email protected] http://lists.blu.org/mailman/listinfo/discuss
