Em Thu, Jan 31, 2002 at 10:13:53AM -0600, Douglas E. Engert escreveu: > > Also, I can also just query the kerberos server just like NIS if > > preauthentication is not in place. > > > You just answered your own queation. PREAUTHENTICATION > > The paper if I remember correctly was addressing Kerberos V4. V5 > addresses these problems with preauthentication. Password change protocols
Preauth with a timestamp is not enough either, it doesn't prevent an eavesdropper. Quoting the paper: "Although this [preauth] prevents an attacker from requesting TGTs, it does not protect against an eavesdropper who captures either Ek(t) [sent by the client] or Ek(tgt) [sent by the server, i.e., the reply]. Either of those quantities constitutes verifiable plaintext that can be used to mount a dictionary attack." In fact, I have another paper where a student at a university here made such attacks against W2K, which uses timestamp-preauth. I don't have an URL now, it's at home, sorry. > can force passowrd rules too. Yes, weak passwords will always be a problem. This is a moving target, what is weak today wasn't weak 10 years ago.
