Ben H <[email protected]> writes: > Based on your prior explanation I can't help but infer this means that > although the new forwardable TGT session key may be different than my > original TGT, it is still shared between all hosts that I delegate to, > leading to a possible attack against all systems should one be > compromised? Is this the reason that MIT chooses to request a new TGT > for each connection?
A new delegated TGT is retrieved for each delegation normally because the receiving host's IP address is (well, can be -- see below) encoded in the ticket. Kerberos tickets encode the host that is supposed to have the ticket... except that this has become essentially useless on the modern Internet with NAT, and it never provided much in the way of security anyway. So there are some vestiges of support for that behavior around, but basically everyone disables addresses in tickets. Windows probably realizes that the tickets are addressless and therefore doesn't bother to get another delegated ticket. (You still have to do it once to get a ticket with the correct flags.) -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
