Re: gnome-keyring Obtaining a TGT without unrestricted access to password.



AFAIK Windows caches the MD4 hash for NTLM, so it can always get rc4-hmac creds -- whether it does this I don't know.

-- Luke

On 16/06/2011, at 3:10 PM, Simo Sorce wrote:

> On Thu, 2011-06-16 at 15:49 +0100, David Woodhouse wrote:
>> AFAICT most Windows sites *don't* set a policy. They just use the
>> standard Windows default of 10-hour/10-day tickets — because it
>> doesn't
>> really make any significant difference to Windows clients, does it?
> 
> They don't really need to because they can obtain a new ticket from
> scratch every time you unlock the screensaver (to which you give your
> password), which is what we do with sssd as well as the password goes
> down the pipe through pam.
> 
> So the case where a 10h/10d policy is not enough is extremely rare.
> 
> Simo.
> 
> -- 
> Simo Sorce * Red Hat, Inc * New York
> 
> _______________________________________________
> krbdev mailing list             krbdev mit edu
> https://mailman.mit.edu/mailman/listinfo/krbdev

--
Luke Howard / lukeh padl com
www.padl.com / www.lukehoward.com



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]