[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: mod_auth_kerb and Heimdal KDC

To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Subject: Re: mod_auth_kerb and Heimdal KDC
From: joda@pdc.kth.se (Johan Danielsson)
Date: 22 Aug 2002 17:51:30 +0200
Cc: Daniel Kouril <kouril@ics.muni.cz>, Tillman Hodgson <tillman@seekingfire.com>, heimdal-discuss <heimdal-discuss@sics.se>
In-Reply-To: Ken Hornstein's message of "Thu, 22 Aug 2002 10:12:28 -0400"
References: <200208221412.g7MECTQe028782@ginger.cmf.nrl.navy.mil>
Sender: owner-heimdal-discuss@sics.se
User-Agent: Gnus/5.0807 (Gnus v5.8.7) Emacs/20.7

Ken Hornstein <kenh@cmf.nrl.navy.mil> writes:

> I sure hope your Kerberos implementation includes a replay cache
> ... if it does, then this can't happen.

I think this is just a workaround for broken protocols. Require the
client (and server) to use the session key, and you're pretty safe.

Even if you can't replay old creds, you can still hi-jack the session.

/Johan

Follow-Ups:
- Re: mod_auth_kerb and Heimdal KDC
  - From: Ken Hornstein <kenh@cmf.nrl.navy.mil>

References:
- Re: mod_auth_kerb and Heimdal KDC
  - From: Ken Hornstein <kenh@cmf.nrl.navy.mil>

Prev by Date: Re: mod_auth_kerb and Heimdal KDC
Next by Date: Re: mod_auth_kerb and Heimdal KDC
Prev by thread: Re: mod_auth_kerb and Heimdal KDC
Next by thread: Re: mod_auth_kerb and Heimdal KDC
Index(es):
- Date
- Thread