On 02/10/2012 04:42 PM, Stephen Frost wrote: > Ok, thanks. Is the user's long-term key of any value if FAST is > in place? By that I mean- could I just make it 'password' or > similar without any security risk..?
I can think of several things to worry about with that: 1. The KDC doesn't currently have a knob to enforce the use of FAST. So it's possible that a legitimate user could authenticate with SAM2 and not FAST. An attacker observing such an authentication could easily decrypt the reply. (A FAST OTP implementation would not have this problem because it won't operate without FAST.) 2. You'd need to make sure to set the requires_hwauth flag on each principal set up this way, or anyone could authenticate using encrypted timestamp and the weak password. 3. If your SecurID deployment doesn't use PINs and uses short token values, using only the one factor to authenticate might make it relatively little work for an attacker to guess a valid user/OTP combination and get tickets. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos