On Oct 2, 2009, at 04:57, Remi Ferrand wrote: > I'm working with MIT Kerberos5 1.6.3 > > I would like to be able to refresh an existing TGT on my local > machine, without using the KDC. > > My first idea was to decrypt the TGT, modifying its informations > (start time, end time, renewable time) and encrypt it again. > > Is it possible ? > Which key of the KDC do I need to do this little hack ? (the Master > Key K/m...@realm ?)
You would need the key for the krbtgt/[email protected] principal in order to do this. In fact, with that key, you can forge a TGT for any client principal at all, without needing an existing TGT, so if anyone else gets their hands on it, your realm's security is compromised. So unless your local machine is secure enough that you could run a KDC on it, this would be a really bad idea. And even then, running a KDC as root is probably a better idea than leaving the TGS key sitting around accessible under your regular account. Ken ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
