Hi HJ, Thanks!
> The plain network traffic between client and KDC is vulnerable to dictionary > attacks on > weak user passwords. If I understand you correctly, you are saying that the packets themselves provide information suitable to build dictionary attacks, and unlike the KDC which could fend off heavy queries, this is not the case after a login packet has been observed. Please forgive me for not knowing the protocols yet -- it's only been 3 (intensive) weeks of Kerberos for me. This sounds like an SRP-based scheme would make a lot of sense to the exchange with the KDC. Except that it isn't standardised AFAIK, and TLS is. Your point is clear. > There are already tunneling mechansims available for MIT Kerberos > like PKINIT and FAST but I find them rather complicated to implement. Are you missing documentation perhaps? Wouldn't surprise me, I've also missed guidance. > TLS would make things definitely easier. The GNU Kerberos solution shishi has > support > for TLS for example. TLS makes things easier to administer, except for certificate juggling and modern DANE requirements, but I don't like its footprint of network traffic and verification time. That's the reason I asked -- curiosity about pros. Thanks, Rick van Rein OpenFortress ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
