Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!swrinde!elroy.jpl.nasa.gov!decwrl!stanford.edu!SIMPACT.COM!cjr
From: cjr@SIMPACT.COM (Chris Riddick)
Newsgroups: comp.protocols.kerberos
Subject: Re: Verifying passwords without getting new tickets
Message-ID: <9105171130.aa04292@nss1.simpact.COM>
Date: 17 May 91 11:30:53 GMT
Sender: news@shelby.stanford.edu (USENET News System)
Organization: Internet-USENET Gateway at Stanford University
Lines: 38

You asked if there was a way for Kerberos to be used to authenticate a 
principal without geeting a new TGT.

First, I'm not sure why you want to do that.  The purpose of Kerberos is to
provide that authentication for you.  If you are asking the principal to
authenticate himself, then you really need to go through the TGT protocol
again.

Second, the point of the TGT is that it is to be used for future service
ticket requests instead of having to reauthenticate with your password each
time you want another ticket.  The benefits are twofold: exposure of your 
password is minimized and the user only need login to the kerberos server once
during the lifetime of the TGT.

If what you are really trying to do is to provide a periodic verification of
the identity of the user at the workstation, then you really should limit the
lifetime of the TGT to that of the authentication period and force the user
to get a new TGT.

The password is an integral part of the Kerberos authentication protocol.
It is used to decrypt the packet with the TGT returned by the Kerberos
server.  The protocol is set up to remove the need to send the password over
the wire.  Not even an encrypted password goes over the wire.  Rather, a
complete encrypted message is sent.  This removes the threat of dictionary
attacks against the password itself.

Chris Riddick

Chris Riddick


UUNET:		uunet!nss1!cjr
Internet: 	nss1!cjr@UUNET.UU.NET
USSnail:  	Simpact Associates, Inc.
	  	12007 Sunrise Valley Drive
	  	Reston, Virginia  22091
Phone:	  	703-758-0190 x2156
FAX:	  	703-758-0941