Re: HEAD's UP: possible 0day SSH exploit in the wild
"Boyd Stephen Smith Jr." <bss@iguanasuicide.net> writes:
> Russ Allbery wrote:
>> But yes, you don't want to get Kerberos tickets on an insecure system.
> I thought tickets only lasted for a small period of time, and could be
> expired early if need be so that you could use them on insecure
> machines.
True, you can get limited-lifetime tickets, which is a bit safer since
any attacker would have to use them right away. If you can get them
without exposing your key material (using PKINIT, for instance), that
could be a possible solution.
You obviously don't want to get password-based tickets from an untrusted
machine.
--
Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>
Reply to: