[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: HEAD's UP: possible 0day SSH exploit in the wild

"Boyd Stephen Smith Jr." <bss@iguanasuicide.net> writes:
> Russ Allbery wrote:

>> But yes, you don't want to get Kerberos tickets on an insecure system.

> I thought tickets only lasted for a small period of time, and could be
> expired early if need be so that you could use them on insecure
> machines.

True, you can get limited-lifetime tickets, which is a bit safer since
any attacker would have to use them right away.  If you can get them
without exposing your key material (using PKINIT, for instance), that
could be a possible solution.

You obviously don't want to get password-based tickets from an untrusted
machine.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>
Reply to: