Jacobo, * Jacobo Vazquez (jvazq...@denodo.com) wrote: > Am I misunderstanding something or is this the expected behavior? This > not means a replay attack risk? I think that if SSL is not used by the > connection, a malicious user could capture the authentication package which > the client service ticket and then reuse it.
It's not entirely clear to me what you're getting at here, but Kerberos service tickets are *intended* to be re-used up until they are invalid due to their lifetime limit. That's why they have a lifetime. If you don't want them to be reused, make their lifetime very short, but you'll end up creating a huge additional load on your KDC that way for very little gain.. Note that this is entirely independent of a replay attack risk, which is addressed by the resource server checking if the timestamp in the authenticator being provided is the same as the last one (it should be denied if it is). Further, the timestamp in the authenticator has to be within 5 minutes or it'll also be denied. Thanks, Stephen
signature.asc
Description: Digital signature