Re: Can Kerberos be cracked??

From: Robin Garner (robin.garner@crsrehab.gov.au)
Date: 11/01/01 

Date: 1 Nov 2001 06:58:33 -0000
Message-ID: <20011101065833.5120.qmail@mail.securityfocus.com>
From: Robin Garner <robin.garner@crsrehab.gov.au>
To: focus-ms@securityfocus.com
Subject: Re: Can Kerberos be cracked??
('binary' encoding is not supported, stored as-is) Mailer: SecurityFocus
In-Reply-To: <000901c15b5a$b0c17fe0$0b00010a@lauradominion.com>

One recent paper on cracking Kerberos is

"A Real-World Analysis of Kerberos Password
Security "
Thomas Wu, Computer Science Department
Stanford University

http://citeseer.nj.nec.com/418833.html

http://www.isoc.org/isoc/conferences/ndss/99/procee
dings/papers/wu.pdf

Wu manages to crack over 2,000 passwords from a
user population of 25,000 on the Stanford Kerberos
v4 network in a 2 week period. He notes that the pre-
authentication in Krb v5 strengthens the
authentication exchange somewhat, but the same
attack is possible; simply more time consuming.

Robin

Relevant Pages

  • Re: SSH and Kerberos in Solaris 9
    ... we have been able to use the SOlaris Kerberos support. ... I am having trouble configuring the Solaris /etc/pam.conf file to make ... does not make ssh accept kerberos passwords for ssh logins. ... On the login prompt the kerberos password is accepted, ...
    (comp.protocols.kerberos)
  • SSH and Kerberos in Solaris 9
    ... I post this in the kerberos newsgroup as well. ... # Support for Kerberos V5 authentication ... login: henrik ... On the login prompt the kerberos password is accepted, ...
    (comp.unix.solaris)
  • solaris 11 kerberos pam entries?
    ... I'm trying to just set up a vanilla Solaris 11 kerberos server, and then allow users to log in via kerberos password. ... But I cant LOG IN. ... raw pam.conf lines would be nice, but any insight as to better kclient usage would be nice also. ...
    (comp.unix.solaris)
  • Re: OpenSSH 4.0 released
    ... > What is the status of AFS support in OpenSSH 4.0? ... If you authenticate via gssapi or Kerberos password then you can ... Good judgement comes with experience. ...
    (SSH)
  • [NEWS] Cisco VPN 3000 Kerberos Authentication Implementation Remote Code Execution And DoS
    ... Get your security news from a reliable source. ... over IPSec, and Cisco WebVPN ... Kerberos Key Distribution Center may be vulnerable to remote code ... The second vulnerability consists of an infinite loop in the Abstract ...
    (Securiteam)