"Garrett D'Amore" <[EMAIL PROTECTED]> writes:
> Such an attack requires great patience, because the cost of repetitively
> connecting sending the password, waiting for the response, etc. can be
> great (in terms of wall clock time, not CPU time).
Repetitively connecting is not necessary. One can make one request
per user and perform the dictionary attack offline. The only
difference to the ypcat situation is one of obscurity--there do not
currently exist to my knowlege widely deployed tools to automate the
attack.
The relevant Kerberos developers know what I'm talking about. I'm not
particularly inclined to publicise the specific information for
developing such automated attack tools.
--
_.John Gardiner Myers Internet: [EMAIL PROTECTED]
LoseNet: ...!seismo!ihnp4!wiscvm.wisc.edu!give!up
