On 1108067146 seconds since the Beginning of the UNIX epoch
"Douglas E. Engert" wrote:
>
>In the future as PKINIT and /or other pre-auths are implemented, you
>may have to send in the first request without any pre-auth just to find
>out what the KDC will accept so you might as well do it now too.
Even today, sending pre-auth without first talking to the KDC is
a bit of a security problem if the client is not properly configured.
E.g. if I send a DES PA_TIMESTAMP, Eve can easily crack my password
regardless of not having DES keys in the KDC. Of course, a MITM
can easily convince me to send a DES PA_TIMESTAMP...
--
Roland Dowdeswell http://www.Imrryr.ORG/~elric/
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
